PCI Severity Levels

The PCI compliance service assigns each confirmed vulnerability and potential vulnerability a PCI severity level of High, Medium or Low. The severity level is based on the CVSS score assigned to the vulnerability. This easy-to-understand ranking should assist you when prioritizing remediation tasks.

Important: The service uses the PCI severity level and other criteria, as defined by the PCI Security Standards Council, to determine whether a detected vulnerability passes or fails the PCI compliance requirements. Please note that the PCI severity level, based on CVSS score, is not the only criteria used to calculate a vulnerability's pass/fail status. A vulnerability may pass or fail PCI compliance based on the type of exploit. For example, a denial of service vulnerability will pass PCI compliance regardless of its CVSS score. See PCI Pass/Fail Criteria for more information.

See the table below for PCI severity levels based on CVSS scores.