What CVSS Score is required for PCI compliance?

kreiley
kreiley 36 weeks ago

Does anyone know what CVSS (Common Vulnerability Scoring System) score is required to meet PCI DSS (Payment Card Industry Data Security Standards) compliance requirements?

Tags: compliance, data center, network, security
Topic: Security
Answer this Question

Answers

3 total
billyaustintx_tw601266289
billyaustintx_t... 36 weeks ago
Vote Up (1)

I would agree with the answers provided for external scans.

 

For internal scans, it specifically states High vulnerabilities. We use bullet C as a baseline or remediating anything with a CVSS Score of 7 or higher.

 

NVD CVSS v2 Vulnerability Severity Ratings

http://nvd.nist.gov/cvss.cfm

 

A. Vulnerabilities are labeled "Low" severity if they have a CVSS base score of 0.0-3.9.

B. Vulnerabilities will be labeled "Medium" severity if they have a base CVSS score of 4.0-6.9.

C. Vulnerabilities will be labeled "High" severity if they have a CVSS base score of 7.0-10.0.

 

You can run a free internal PCI scan on a Macs or PC within a few seconds at www.iscanonline.com without registration or downloading software.

AppDevGuy
AppDevGuy 37 weeks ago
Vote Up (2)

 

You need to have a score from 0.0 through 3.9 to be compliant.  

 

From the PCI Security Standards Council: 

“To demonstrate compliance, a scan must not contain highlevel vulnerabilities in any 

component in the cardholder data environment. Generally, to be considered compliant, none of those components may contain any vulnerability that has been assigned a Common Vulnerability Scoring System (CVSS) base score equal to or higher than 4.0.”

 

Here is a quick reference guide (free pdf download) that you might find useful in the future:

https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Refer...

 

jimlynch
jimlynch 37 weeks ago
Vote Up (2)

See this:

http://www.qualys.com/enterprises/qualysguard/pci-compliance/pass-fail-c...

"Vulnerabilities with a NIST CVSS v2.0 base score of either 4.0 or higher will cause PCI compliance to fail on the scanned IPs.
Qualys will use the CVSSv2 score formula to calculate the severity and pass/fail status of any vulnerabilities that do not have a NIST-assigned CVSS score, or have a NIST CVSS score of 0.
An IP will be considered non-compliant if the SSL version installed on it is limited to 2.0 or older.
Vulnerabilities that may lead to SQL injection attacks and cross-site scripting will result in a non-compliant status on the corresponding IP.
Vulnerabilities or mis-configurations that may lead to denial of service are not taken into consideration for PCI compliance.
The PCI Technical Report will include a list of all vulnerabilities discovered, however the PCI vulnerabilities that drive the pass/fail criteria will be indicated as such.
A number of new items such as the presence of obsolete software or database services will also cause automatic failure."

Answer this Question

Related Questions

mstrauss
mstrauss
1 year ago
How secure is your data center?

Much media attention is paid to stories about hackers using sophisticated tools for breaking into systems VIRTUALLY, just using network...

Tags: data center, security
2 Answers
Answer It
ITworld staff
ITworld staff
2 years ago
Impact on the data center for large-scale VDI deployment.

What’s the impact on compute, storage and network with a wide-scale VDI deployment? I want to make sure the back-end is all squared away...

Tags: data center, desktop virtualization, network, storage
1 Answer
Answer It
RomanZ
RomanZ
49 weeks ago
Is there an easy way to test my network's security?

I'm looking for an easy way to check the security on my network to make sure that we've got all the ports we don't need shut down. Is...

Tags: network, security, test
3 Answers
Answer It
ncharles
ncharles
1 year ago
Is there really a school for hackers?

PCWorld has an article where they were talking about a hacking school set up by Anonymous and Lulzsec. Is this for real, or were they...

Tags: hackers, network, school, security
2 Answers
Answer It
lbloom
lbloom
1 year ago
TRUSTED VOICE
When was the last time you changed your password?

My boss doesn't want any passwords to ever change - which is very bad security policy. Experts say that you should not use the same...

Tags: password, security
2 Answers
Answer It

Ask a question

Join Now or Sign In to ask a question.
Testing cell networks across America: Phone crime is real
Our wireless testing guru ran into the dangerous world of smartphone crime several times while testing in America's largest cities.
Texas drone bill sparks a battle
The battle to find a balance between privacy concerns and the beneficial use of drones for commercial and law enforcement purposes is in sharp focus in a bill that's winding its way through the Texas legislature.
Alleged tech support scammers settle FTC charges
Operators of two alleged tech support scams that charged consumers hundreds of dollars to supposedly fix their computers have settled charges from the U.S. Federal Trade Commission.
Police arrest Anonymous suspects in Italy
Italian police arrested four suspected hackers Friday, accusing them of having taken control of the Italian branch of the Anonymous network.
Researchers uncover new global cyberespionage operation dubbed SafeNet
Security researchers from Trend Micro have uncovered an active cyberespionage operation that so far has compromised computers belonging to government ministries, technology companies, media outlets, academic research institutions and nongovernmental organizations from over 100 countries.
New Mac spyware found on Angolan activist's computer
Previously unknown Mac OS X spyware, signed with a valid Apple Developer ID, has turned up on the laptop of an activist from Angola at a human rights conference in Norway.
In a sea of malware, viruses make a small comeback
The computer virus seems to be making a subtle comeback.
At Google I/O, Glass wearers say 'trust us'
Google is facing some tough questions from Congress over the privacy concerns raised by Glass, its fledgling augmented reality system for recording and receiving information on the fly. But on the ground at the company's I/O conference for developers, attendees are largely enthusiastic about the technology.
Four former LulzSec members sentenced to prison in the UK
Four British men associated with the LulzSec hacker collective received prison sentences Thursday for their roles in cyberattacks launched by the group against corporate and government websites in 2011.
SunGard brings cloud service to disaster recovery
Can the old guard in business continuity and disaster-recovery services thrive in an era when the companies are looking at new ways to process business data? SunGard Data Systems, with decades of experience in availability services, is feeling the pinch as some business clientele move data to the cloud. But SunGard says it's pushing forward with innovations that are making it a public cloud provider as well with the kind of application availability it says will be hard to match elsewhere.

White Papers & Webcasts

White Paper

Controlling the Cost of File Transfers

Webcast On Demand

MFT and FileXpress - An Overview

Sponsor: Attachmate

White Paper

Secure Data Streaming with Attachmate FileXpress

See more White Papers | Webcasts

Most Active Members

jimlynch

jimlynch

0 questions | 1603 answers

TRUSTED VOICE
Christopher Nerney

Christopher Nerney

2 questions | 177 answers

becker

becker

43 questions | 91 answers

TRUSTED VOICE
wstark

wstark

41 questions | 70 answers

lsmall

lsmall

14 questions | 87 answers

TRUSTED VOICE
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+