Hi Martin,
Whether it's "formally provable technical nonsense" or otherwise, and regardless of what you think NIST might have intended to mean (even though they specifically call out TLS v1.0 as being unsuitable and forbidden for intragovernmental communication), if we end up in court following a security breach and loss of cardholder data, our only defense is whether or not we followed the rules set down by the PCI SSC. We will follow the rules as set down by the PCI SSC, and their interpretation of them, as that's the only responsible course of action a business can take.
For this reason, and owing to the absence of (even if it were disabled-by-default) TLS_FALLBACK_SCSV support, we've had to disable TLS v1.0 and have had a few problems with clients not supporting modern TLS versions. Fortunately, they've been quite responsive, with the exception of a certain bank still running Windows NT 3.1 to provide merchant services.
Rob
