Running the Immuniweb.com Security Test it complains (abbreviated version):
The problem is TLSv1.1 and TLSv1.0 configured with TLS_RSA_WITH_3DES_EDE_CBC_SHA enabled, that is non-compliant with PCI DSS requirements. In particular, the test complains of supporting TLSv1.0 and lack of support for TLSv1.3. in addition it says: "The HTTP version of the website does not redirect to the HTTPS version. We advise to enable redirection.".
You probably know this but the latest guidelines are: SP 800-52 Rev. 2 "Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations".
There is also hardware available, such as Symantec's SSL Visibility Appliance, which can permit security tools to operate despite end-to-end encryption; but it's expensive. Despite the expense traffic inspection is necessary unless you simply want to hope that nothing can go wrong. There are also Data Loss Prevention Appliances which can detect theft of personal information, password files, and other sensitive data; and block it before it goes over the wire.
Your move to TLS 1.2 and up is a welcome one, we wouldn't want you to go down for a few days or suffer the annoyance (warning?) of last year's hack again. Thanks for keeping on the leading edge.