Q

Vulnerability mitigation for PCI compliance

The PCI Security Standards Council identifies five levels of network security vulnerabilities, ranging from low to urgent.

Which vulnerabilities found in a scan conducted by a QSA need to be addressed?

The PCI Security Standards Council has defined procedures for Approved Scanning Vendors (ASV) to follow. There

are five levels of vulnerabilities identified by PCI. An ASV scan must not show any high-level vulnerabilities, which are defined as Levels 3-5. All high-level vulnerabilities must be demonstrably mitigated before an external network can be considered compliant. This table broadly defines these severity levels:

Level

Severity

Description

5

Urgent

Trojan horses; file read-and-write exploit;
remote command execution

4

Critical

Potential Trojan horses; file read exploit

3

High

Limited exploit of read; directory browsing; denial of service

2

Medium

Sensitive configuration information can be obtained by hackers

1

Low

Information can be obtained by hackers on configuration

For more information review the ASV Scanning Procedures document available on the PCI Security Council's Web site.

This was first published in June 2007

Dig deeper on Regulatory Compliance

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

MicroscopeUK

SearchCloudProvider

SearchSecurity

SearchStorage

SearchNetworking

SearchCloudComputing

SearchConsumerization

SearchDataManagement

SearchBusinessAnalytics

Close