The PCI compliance service assigns each confirmed vulnerability and potential vulnerability a PCI severity level of High, Medium or Low. The severity level is based on the CVSS score assigned to the vulnerability. This easy-to-understand ranking should assist you when prioritizing remediation tasks.
Important: The service uses the PCI severity level and other criteria, as defined by the PCI Security Standards Council, to determine whether a detected vulnerability passes or fails the PCI compliance requirements. Please note that the PCI severity level, based on CVSS score, is not the only criteria used to calculate a vulnerability's pass/fail status. A vulnerability may pass or fail PCI compliance based on the type of exploit. For example, a denial of service vulnerability will pass PCI compliance regardless of its CVSS score. See PCI Pass/Fail Criteria for more information.
See the table below for PCI severity levels based on CVSS scores.
CVSS Score |
Confirmed Severity |
Potential Severity |
Compliance |
Guidance |
7.0 - 10.0 |
|
|
Fail |
These vulnerabilities must be fixed to pass PCI compliance. Organizations should take a risk-based approach to correct these types of vulnerabilities, starting with the most critical ones (rated 10.0), followed by those rated 9, 8, 7, etc., until all vulnerabilities rated 4.0 through 10.0 are corrected. |
4.0 - 6.9 |
|
|
Fail |
|
0.0 - 3.9 |
|
|
Pass |
These vulnerabilities are not required to be fixed to pass PCI compliance. Organizations are encouraged, however, to correct these vulnerabilities. |