What CVSS Score is required for PCI compliance?


Does anyone know what CVSS (Common Vulnerability Scoring System) score is required to meet PCI DSS (Payment Card Industry Data Security Standards) compliance requirements?

Topic: Security
Answer this Question


3 total
Vote Up (12)


You need to have a score from 0.0 through 3.9 to be compliant.  


From the PCI Security Standards Council: 

“To demonstrate compliance, a scan must not contain highlevel vulnerabilities in any 

component in the cardholder data environment. Generally, to be considered compliant, none of those components may contain any vulnerability that has been assigned a Common Vulnerability Scoring System (CVSS) base score equal to or higher than 4.0.”


Here is a quick reference guide (free pdf download) that you might find useful in the future:



Vote Up (12)

See this:


"Vulnerabilities with a NIST CVSS v2.0 base score of either 4.0 or higher will cause PCI compliance to fail on the scanned IPs.
Qualys will use the CVSSv2 score formula to calculate the severity and pass/fail status of any vulnerabilities that do not have a NIST-assigned CVSS score, or have a NIST CVSS score of 0.
An IP will be considered non-compliant if the SSL version installed on it is limited to 2.0 or older.
Vulnerabilities that may lead to SQL injection attacks and cross-site scripting will result in a non-compliant status on the corresponding IP.
Vulnerabilities or mis-configurations that may lead to denial of service are not taken into consideration for PCI compliance.
The PCI Technical Report will include a list of all vulnerabilities discovered, however the PCI vulnerabilities that drive the pass/fail criteria will be indicated as such.
A number of new items such as the presence of obsolete software or database services will also cause automatic failure."

Vote Up (11)

I would agree with the answers provided for external scans.


For internal scans, it specifically states High vulnerabilities. We use bullet C as a baseline or remediating anything with a CVSS Score of 7 or higher.


NVD CVSS v2 Vulnerability Severity Ratings



A. Vulnerabilities are labeled "Low" severity if they have a CVSS base score of 0.0-3.9.

B. Vulnerabilities will be labeled "Medium" severity if they have a base CVSS score of 4.0-6.9.

C. Vulnerabilities will be labeled "High" severity if they have a CVSS base score of 7.0-10.0.


You can run a free internal PCI scan on a Macs or PC within a few seconds at www.iscanonline.com without registration or downloading software.

Ask a question

Join Now or Sign In to ask a question.
Almost 500,000 patient records have been hacked from the servers of the Harley Medical Group, the plastic surgery firm which has clinics across the UK.
Security researchers have found that many satellite communication systems have vulnerabilities and design flaws that can let remote attackers intercept, manipulate, block and in some cases take full control of critical communications.
The U.S. commercial drone industry is still struggling to get off the ground more than two years after President Obama signed into law a bill that permits the civilian use of unmanned aerial vehicles (UAV) over the country's airspace.
Sure, you’ve changed a bunch of passwords, but are you doing all you can to protect yourself?
About 2.6 million payment cards at Michaels Stores and another 400,000 at subsidiary Aaron Brothers may have been affected in a card skimming attack that compromised its point-of-sale systems, the retailer said Thursday.
National security may be at stake as private businesses try to manage a growing number of cyberthreats, but IT professionals shouldn't have to bear that burden alone.
Worried about how the Heartbleed vulnerability may affect your personal accounts? A new tool may be of help.
Whether it's the first time you've picked up an iPad or the seventeenth time you've pulled out your iPhone today, there are probably still some iOS 7 features and functionality that you're not familiar with. Don't sweat it: We're here to help. We've collected some of our favorite and most useful tips and compiled them here, just for you.
The Tor Project has flagged 380 Tor relays vulnerable to the critical Heartbleed flaw to be rejected from the Tor anonymity network, reducing the network's entry and exit capacity.
Cybercriminals have started using a sophisticated Android Trojan app designed for e-banking fraud to target Facebook users, possibly in an attempt to bypass the two-factor authentication protection on the social network.

White Papers & Webcasts

See more White Papers | Webcasts

Join us: