reading this http://docs.nethserver.org/en/latest/tlspolicy.html#tlspolicy-section we could release a TLS policy and get rid of TLS1.x for apache…of course keep 1.2
I am not sure we could be PCI compliant, I assume it is the work of the sysadmin for this purpose, he is paid for this 
but we could help
cc @davidep