Reasons for passing or failing PCI compliance are listed below. Note the service is compliant with the requirements in the PCI ASV Program Guide.
With a few exceptions, a vulnerability with a CVSS Base score of 4.0 or higher results in automatic failure. The service imports CVSS scores from the NIST database. For vulnerabilities that do not have a CVE, the service assigns its own CVSS score.
The service determines the version of the software and operating system running on the target machine. If it is an older version that is no longer supported by the vendor, that would result in an automatic failure.
On an ongoing basis, many new exploits and vulnerabilities are discovered for operating systems and security patches are released to address these security issues. It is important to apply software patches as soon as possible to protect operating systems against exploits and vulnerabilities.
The service detects open access to databases from the Internet. This configuration is a violation of PCI DSS section 1.3.7, and will result in an automatic failure.
On an ongoing basis, new vulnerabilities and exploits are discovered for databases and security patches are released to address these security issues. It is important to apply the patches as soon as possible to protect databases against exploits and vulnerabilities.
The service will test and report on built-in or default accounts in routers, firewalls, operating systems, web servers, database servers, applications, POS systems, or other components. Any such vulnerability will result in an automatic failure.
Hardware and software vendors use built-in or default accounts and passwords to allow customers to log in to their products for the first time. Some of these accounts have no password at all; others have a password pre-defined by the vendor. These default accounts and passwords are well known in hacker communities, making systems vulnerable to attack. These accounts need to be assigned strong passwords or they should be disabled to protect systems with cardholder data.
The service will detect presence of a DNS server and detect known vulnerabilities and configuration issues, including unrestricted DNS zone transfer. Unrestricted DNS zone transfer will result in an automatic failure.
DNS servers resolve Internet addresses by translating domain names into IP addresses. Merchants storing cardholder data may have their own DNS server or one hosted by their ISP. If a DNS server is vulnerable, attackers can collect cardholder data by masquerading as the merchant's or service provider's web page. It is important to detect DNS servers and detect known vulnerabilities and configuration issues to protect cardholder data.
The presence of web application servers must be detected and any SQL injection vulnerability on these servers must be detected. Malicious individuals frequently exploit web application vulnerabilities to gain access to internal databases that potentially store cardholder data.
An SQL injection is a code injection technique that is used to exploit a security vulnerability in a web site's software. When exploited, SQL commands are injected from the web form into the database of an application to change the database content or dump the database information like credit card data or passwords to the attacker. It is important to detect SQL injection vulnerabilities so attackers do not gain access to internal databases that store cardholder data.
The presence of web application servers must be detected and any cross-site scripting vulnerability on these servers must be detected. Malicious individuals frequently exploit web application vulnerabilities to gain access to internal databases that potentially store cardholder data.
Cross-site scripting is a type of security vulnerability found in web applications. When these vulnerabilities are exploited client-side script can be injected into web pages viewed by other users. These vulnerabilities allow attackers to bypass access controls such as the same origin policy. It is important to detect cross-site scripting vulnerabilities so attackers do not gain access to internal databases that store cardholder data.
The presence of web application servers must be detected and any directory traversal on these servers must be detected. Malicious individuals frequently exploit web application vulnerabilities to gain access to internal databases that potentially store cardholder data.
A directory traversal (or path traversal) exploits insufficient security validation or sanitization of user-supplied input file names. Upon successful exploitation characters representing "traverse to parent directory" are passed to the file APIs. It is important to detect directory traversal since this type of attack exploits a lack of web application security. This makes cardholder data and systems storing it vulnerable to attacks.
The presence of web application servers must be detected and any HTTP response splitting or header injection vulnerability flows on these servers must be detected. Malicious individuals frequently exploit web application vulnerabilities to gain access to internal databases that potentially store cardholder data.
HTTP response splitting is a web application vulnerability resulting from the failure of the application or its environment to properly sanitize input values. Header injection is a web application vulnerability that occurs when HTTP headers are dynamically generated based on user input. These vulnerabilities can be exploited to perform cross-site scripting attacks and other exploits. It is important to detect HTTP response splitting or header injection since this type of attack exploits a lack of web application security. This makes cardholder data and systems storing it vulnerable to attacks.
The service will detect and report well-known, remotely detectable backdoor applications installed on the servers. The presence of any such malware, including rootkits, backdoors, or Trojan horse programs will lead to an automatic failure.
A backdoor is a malicious software application, often commonly known in hacker communities. This malicious software needs to be identified and eliminated due to the risk backdoor applications pose to systems storing cardholder data.
Any component will result in an automatic failure if that component supports SSL version 2.0 or older OR if that component supports SSL v3.0/TLS v1.0 with 128-bit encryption in conjunction with SSL v2.0 due to the risk of forced downgrade attacks.
The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of message transmission on the Internet. The Transport Layer Security (TLS), which is based on SSL, is a protocol that ensures privacy between communicating applications and their users on the Internet. There are well-known vulnerabilities that are easily exploitable, affecting SSL 2.0 and earlier. These security issues allow for interception or modification of encrypted data during transit. Also there are other vulnerabilities, referred to as forced downgrade attacks, which can trick an unsuspecting client into downgrading to a less secure SSL v2.0 in certain conditions. PCI DSS requirements state that strong cryptography and security protocols must be deployed and SSL v2.0/TLS v1.0 is the minimum standard due to the risk of forced downgrade attacks.
A denial-of-service vulnerability must not be ranked as a failure, per the guidance of the PCI Council.