As you can see, there are “modern”, “intermediate”, and “old” configurations (which choose different points along the security and browser compatibility trade-off—“modern” is most secure and least compatible, while “old” is least secure and most compatible).
The default that we chose based on Mozilla’s recommendations does not comply with the PCI requirements because it allows the obsolete TLSv1 protocol (which some old browsers still require). You can configure this in /etc/letsencrypt/options-ssl-apache.conf, where you could choose to add -TLSv1 to the end of the SSLProtocol line (to comply with the PCI requirement) or -TLSv1 -TLSv1.1 to comply with Mozilla’s “modern” recommending in this specific regard.
Maybe we should ask Mozilla if they want to revisit this issue in their recommendations in light of subsequent developments and the passage of time.
which is a set of industry rules covering entities that accept credit cards. In the past, these and similar rules were the biggest reason that sites would adopt HTTPS. Nowadays, more sites that aren’t subject to PCI DSS and merchant rules are adopting HTTPS, but the rules still have a significant effect on online standards, and that’s why security scanner tools often reference their requirements.
We’ve effectively implicitly assumed that sites that are subject to these rules will have their own compliance process in which they make necessary changes and configurations (just turning on HTTPS isn’t enough to become compliant!), but maybe we should also make that clearer.