Pawe Krawczyk says RC4 is still safe to use in SSL. He says it’s the default preferred cipher in most versions of IIS and MD5 are fastest and least CPU-intensive. But some pentesting tools and teams say it’s “weak” because of known cryptoanalytic attacks against both RC4. PCI-DSS v1.2 now doesn’t list any specific algorithms for SSL but instead just says you should use “strong” ones. NIST SP 800-52 doesn’t allow neither RC4 or MD5 because they’re not FIPS-approved algorithms.”]
Source: https://blog.ivanristic.com/2009/08/is-rc4-safe-for-use-in-ssl.html