The service provides these network reports: PCI Executive Report and PCI Technical Report. The network reports include current vulnerability data returned from the most recent external scans on your network, including all IP addresses in your PCI account.
The PCI Executive Report includes your overall compliance status, the compliance status for each scanned host, and the scan configuration settings used.
An overall PCI compliance status of PASS is required to be compliant with the PCI Data Security Standard. This status indicates that all hosts in the report passed the PCI compliance requirements. A PCI compliance status of PASS for a single host/IP indicates that no vulnerabilities or potential vulnerabilities, as defined by the PCI DSS compliance standards set by the PCI Council, were detected on the host.
The PCI Technical Report includes the same PCI compliance status as the PCI Executive Report plus a Detailed Results section. This section provides detailed vulnerability information sorted by host, so you can quickly find and eliminate network security vulnerabilities.
The Detailed Results section of the report shows all detected vulnerabilities and potential vulnerabilities sorted by host. The vulnerabilities with a PCI status of FAIL caused the host to receive the PCI compliance status FAIL. All vulnerabilities and potential vulnerabilities with a PCI status of FAIL must be remediated to pass the PCI compliance requirements. The vulnerabilities with a PCI status of PASS are vulnerabilities that the PCI compliance service found on the hosts. Although these vulnerabilities are not in scope for PCI, we do recommend that you remediate the vulnerabilities in severity order.
Both reports must be submitted to your Approved Scanning Vendor for review and approval. Then once approved by the ASV, your PCI Executive Report can be submitted to your acquiring banks or QSA to demonstrate compliance with PCI standards. You are required to submit network reports to your banks on a quarterly basis.