Your PCI Executive Report

You run the PCI Executive Report to see your overall PCI compliance status and the PCI compliance status for each scanned host (you choose a PCI scan at run time).

Can I submit this report for PCI certification?

No. Starting September 1st, 2010, this report can no longer be used to demonstrate compliance with the PCI Data Security Standard. Please use the Share with PCI feature to share a PCI scan with your PCI Merchant account in order to generate a PCI network report and complete the required actions for PCI certification.

How do I run this report?

Go to VM/VMDR > Reports > Templates. Find the Payment Card Industry (PCI) Executive Report template and select Run from the Quick Actions menu.

How is this report different from the PCI Technical Report?

The PCI Executive Report does not include the list of vulnerabilities detected on each host. To see that level of detail, please run the PCI Technical Report.

Tell me about the overall compliance status

The overall compliance status is PASS when all hosts in the report passed the PCI compliance requirements. The status is FAIL when at least one host in the report failed the PCI compliance requirements.

Tell me about the host's security risk rating

The host's security risk rating is equal to the highest severity level detected on the host. This is used when determining whether the host passed or failed.

Which vulnerabilities do I have to fix?

The vulnerabilities with the FAIL status must be remediated to pass the PCI compliance requirements. The vulnerabilities that do not show a PCI status are not in scope for PCI, but we do recommend that you fix them in order of severity.

What criteria is used to determine compliance status?

We use the PCI severity level and other criteria, as defined by the PCI Security Standards Council, to determine whether a detected vulnerability passes or fails the PCI compliance requirements. Please note that the PCI severity level, based on CVSS score, is not the only criteria used to calculate a vulnerability's pass/fail status. A vulnerability may pass or fail PCI compliance based on the type of exploit. For example, a denial of service vulnerability will pass PCI compliance regardless of its CVSS score.

The PCI severity level appears as: HIGH, MEDIUM or LOW. This severity is calculated based on the CVSS version 2.0 score assigned to the vulnerability.

CVSS v2 Score	Severity	Compliance
7.0 through 10.0	High	Fail
4.0 through 6.9	Medium	Fail
0.0 through 3.9	Low	Pass

The service lists reasons for passing or failing PCI compliance to help you understand the PCI compliance status. Note the service is compliant with the requirements in PCI ASV Program Guide. Reasons are listed when the CVSS scoring feature is turned on for your subscription. Go to VM/VMDR > Reports > Setup > CVSS to turn on this feature.

How do I download this report?

Go to File > Download from within the report to download and save your report as a PDF document. We will automatically expand individual host details before saving your report.

Why should I run this report?	Tell me about the host's security risk rating
Can I submit this report for PCI certification?	Which vulnerabilities do I have to fix?
How do I run this report?	What criteria is used to determine compliance status?
How is this report different from the PCI Technical report?	How do I download this report?
Tell me about the overall compliance status