...
Sites or applications that process or access Personal Information must require SSL. Browsers that do not request SSL should be redirected to the SSL port (the entire session - not just the login - must be encrypted). SSL certificates must be signed by a trusted CA. Legacy systems that process or access PI must obtain and deploy a CA-signed certificate as soon as possible.
...