Hi Martin,
I'm not alleging it. The PCI SSC are alleging it. That's not up to me. Feel free to take it up with them if you like:
Clients which provide cardholder data to service providers do not themselves need to be PCI-DSS compliant. We know that we have a wide variety of browsers using our services as clients and we need to ensure that the credit card data we capture is transmitted securely and according to the PCI-DSS specifications. It is incumbent on us to make that process as secure as possible. We use HSTS, HPKP, strong cipher suites and protocols and a variety of other methods to make our communication with clients as secure as possible. TLS_FALLBACK_SCSV is another defense we want to use, particularly seeing as our QSA would sign us off for continued use of TLS v1.0 until 2018 if it was there. Remember that every use case is different.
Rob