indicates
that no vulnerabilities or potential vulnerabilities, as defined by the
PCI DSS compliance standards, were detected on the IP address.The Executive Summary shows whether each scanned component (IP address) received a passing score and met the scan validation requirement, and displays a list of all vulnerabilities noted for each IP address.
This section lists general information about the most recent scan included in the scan report. Scan information includes the scan customer's company name, the approved scanning vendor's company name, the date the scan completed and the date the scan is set to expire (90 days from the scan completion date).
Each scanned component is listed by IP address and its DNS name with a PCI compliance status.
indicates
that no vulnerabilities or potential vulnerabilities, as defined by the
PCI DSS compliance standards, were detected on the IP address.
indicates
that at least one vulnerability or potential vulnerability, as defined
by the PCI DSS compliance standards, was detected on the IP address.
A host in your account is considered Not Current if it was scanned more than 30 days ago or has never been scanned. These hosts are listed by IP address with a FAIL compliance status.
This section lists the vulnerabilities noted in the latest scan for each scanned IP address, with one line per vulnerability. For example, an IP address will show one line when only one vulnerability is noted, but will have five lines if five vulnerabilities are noted. The following information is displayed for each IP address.
IP Address. The IP address and its corresponding DNS name for the host with the vulnerability.
Vulnerabilities Noted per IP Address. The QID and title of the vulnerability.
Severity Level. The PCI severity level assigned to the vulnerability (High, Medium, Low). See PCI Severity Levels for more information.
CVSS Score. The CVSS base score assigned to the vulnerability. CVSS stands for The Common Vulnerability Scoring System. The CVSS base score represents the fundamental, unchanging qualities of the vulnerability. The PCI compliance service uses the CVSS version 3.1 base score provided by NIST to determine whether a vulnerability severity must be fixed to pass PCI compliance requirements. When a CVSS version 3.1 score is not available from NIST, the service provides a CVSS 3.0 score and uses that score to determine whether the vulnerability must be fixed. When CVSS version 3.1 and 3.0 scores are not available, then CVSS version 2.0 base score is used. When a CVSS version 2.0 score is not available from NIST, the service provides a CVSS 2.0 score.
Compliance Status. The PCI compliance status for the vulnerability:
or
. A
vulnerability with a status of
must be fixed on the host/IP in order to pass PCI compliance. The PCI
compliance service uses CVSS version 3.1 base scores and other criteria
to determine the PCI pass/fail status. See
PCI Pass/Fail Criteria.
Exceptions, False Positives, or Compensating Controls. (Applicable only if an approved false positive is associated with the vulnerability/host pair.) These are the comments entered by the Technical Support representative who reviewed and approved the false positive request submitted by the scan customer.
Consolidated Solution/Correction Plan for IP address. (Appears for each non-compliant IP address) This is the comment provided by the scan customer during the report generation workflow for the non-compliant IP address, if any. Note you can view all comments in the Appendices section of the report.
This section lists vulnerabilities that identify the presence of certain software that may pose a risk to the scan customer's environment due to insecure implementation rather than an exploitable vulnerability.
For each vulnerability listed in this section, the following information appears: the IP address or DNS name of the host (based on whether the latest scan is launched on IP or on DNS), the title of the note to the scan customer, the QID assigned to the vulnerability, the title of the vulnerability which identifies the item noted, and information provided by the scan customer describing how the software is securely implemented and actions taken.
This information also includes the service port if you select the Show Special Notes port detection check box in Merchant Information. (PCI Compliance > Account > Settings > Merchant Information.)