Q

Vulnerability mitigation for PCI compliance

The PCI Security Standards Council identifies five levels of network security vulnerabilities, ranging from low to urgent.

Which vulnerabilities found in a scan conducted by a QSA need to be addressed?

The PCI Security Standards Council has defined procedures for Approved Scanning Vendors (ASV) to follow. There are five levels of vulnerabilities identified by PCI. An ASV scan must not show any high-level vulnerabilities, which are defined as Levels 3-5. All high-level vulnerabilities must be demonstrably mitigated before an external network can be considered compliant. This table broadly defines these severity levels:

Level

Severity

Description

5

Urgent

Trojan horses; file read-and-write exploit;
remote command execution

4

Critical

Potential Trojan horses; file read exploit

3

High

Limited exploit of read; directory browsing; denial of service

2

Medium

Sensitive configuration information can be obtained by hackers

1

Low

Information can be obtained by hackers on configuration

For more information review the ASV Scanning Procedures document available on the PCI Security Council's Web site.

This was last published in June 2007

Dig Deeper on Regulatory Compliance

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

MicroscopeUK

SearchCloudProvider

SearchSecurity

SearchStorage

SearchNetworking

SearchCloudComputing

SearchConsumerization

SearchDataManagement

SearchBusinessAnalytics

Close