PCI ASV Scans - Risk Ratings

PCI Scanning stands for 'Payment Card Industry' scanning. As per the standard guidelines It involves having a PCI ASV (Approved Scanning Vendor) perform a vulnerability scan on all vendor IP addresses/devices etc which store, process or transmit credit card data, the scan aims to identify both network and web application vulnerabilities like XSS and SQL, there is lot of guidelines and process involved here as per PCI guidelines, we are not going to discuss that currently.

We are going to discuss how we are going to calculate and rate the risks identified during the scans.

Risk Ratings:

In PCI ASV reports risk for vulnerabilities identified during the ASV scans are calculated based on the CVSS Score. CVSS stands for common vulnerability scoring system which is the scoring standard adopted and well accepted throughout the security domain for calculating the security risk.

More information on CVSS and how to calculate the CVSS scores can be found at:

Refer:
http://www.first.org/cvss/cvss-guide
http://nvd.nist.gov/cvss.cfm?calculator

The basic thumb rule for calculating the risk is
If CVSS score is > = 4.0 then that particular vulnerability will result in non-compliance to PCI, the affected device/IP will be considered as FAIL and CVSS <=3.9 will result in vulnerability as compliant to PCI.

Useful Tips and Suggestion:

1. Most of the vulnerability scanning tools provide CVSS score with vulnerabilities, sometimes few scanners may provide false or inaccurate CVSS scores hence the scores must be reviewed and validated before finalizing the risk.

2. CVSS score if not present for vulnerability, should be calculated manually using the CVSS calculator and appropriate risk should be finalized.

3. Right parameter should be used while calculating the risk, wrong parameters may result in wrong score and wrong compliance status.

4. If to reduce the risk, vendor has a compensatory control for vulnerability then new CVSS score should be calculated considering the compensatory control and risk should be rated accordingly.

5. As per PCI ASV DOS vulnerabilities will be rated as per below rule.

In case of denial-of-service vulnerabilities, where the vulnerability has both a CVSS Confidentiality Impact=none and a CVSS Integrity Impact=none, the vulnerability must be marked as pass and must be rated as low risk.