PCI Pass/Fail Criteria

The calculation of the PCI pass/fail compliance status in PCI reports follows the PCI compliance standards set by the PCI Security Standards Council.

For each vulnerability, the PCI compliance service uses the CVSS version 3.1 base score provided by NIST to determine whether the vulnerability must be fixed to pass PCI compliance requirements. When a CVSS version 3.1 score is not available from NIST, the service provides a CVSS 3.0 score and uses that score to determine whether the vulnerability must be fixed. When CVSS version 3.1 and 3.0 scores are not available, then CVSS version 2.0 base score is used. When a CVSS version 2.0 score is not available from NIST, the service provides a CVSS 2.0 score.

The CVSS version 3.1 score is mapped to a PCI severity level for each vulnerability according to the requirements from the PCI Security Standards Council.

Important - The service uses the PCI severity level and other criteria, as defined by the PCI Security Standards Council, to determine whether a detected vulnerability passes or fails the PCI compliance requirements. Please note that the PCI severity level, based on CVSS score, is not the only criteria used to calculate a vulnerability's pass/fail status. A vulnerability may pass or fail PCI compliance based on the type of exploit. For example, a denial of service vulnerability will pass PCI compliance regardless of its CVSS score.

 

Quick Links

PCI Severity Levels