
	Home > Ask the Security Channel Experts > Network Security Questions & Answers > Vulnerability mitigation for PCI compliance

Ask The Security Channel Expert: Questions & Answers

EMAIL THIS

Vulnerability mitigation for PCI compliance

EXPERT RESPONSE FROM: Retired Expert - John Kindervag

		Pose a Question

		Other Security Channel Categories

		Meet all Security Channel Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 14 June 2007
Which vulnerabilities found in a scan conducted by a QSA need to be addressed?

EXPERT RESPONSE

The PCI Security Standards Council has defined procedures for Approved Scanning Vendors (ASV) to follow. There are five levels of vulnerabilities identified by PCI. An ASV scan must not show any high-level vulnerabilities, which are defined as Levels 3-5. All high-level vulnerabilities must be demonstrably mitigated before an external network can be considered compliant. This table broadly defines these severity levels:

Level

Severity

Description

5

Urgent

Trojan horses; file read-and-write exploit;
remote command execution

4

Critical

Potential Trojan horses; file read exploit

3

High

Limited exploit of read; directory browsing; denial of service

2

Medium

Sensitive configuration information can be obtained by hackers

1

Low

Information can be obtained by hackers on configuration

For more information review the ASV Scanning Procedures document available on the PCI Security Council's Web site.

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	PCI DSS Compliance
	How to ensure PCI-compliant firewall configurations
	PCI DSS compliance: All or nothing?
	Avoiding conflicts of interest in PCI security assessments
	Value-adds for PCI auditors

Regulatory Compliance Services

Channel Checklist: Top five PCI compliance mistakes and how to avoid them

How to establish decommissioning policies and procedures

Testing the firewall - Introduction

Working with Firewall Builder

Validated firewalls

Creating your checklist and Summary

Packet flow from all networks

System administration

PCI compliance: Web application firewall vs. code review

How will the planned changes in PCI-DSS affect the channel?

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

SEARCH

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.


TechTarget Corporate Web Site \| Media Kits \| Reprints \| Site Map All Rights Reserved, Copyright 2006 - 2008, TechTarget \| Read our Privacy Policy