Your PCI Technical Report

Why should I run this report?

Tell me about the host's security risk rating

How do I run it?

Which vulnerabilities do I have to fix?

Can I submit this report for PCI certification?

What criteria is used to determine compliance status?

Tell me about the overall compliance status

How do I download this report?


Why should I run a PCI Technical report?

The PCI Technical Report can be used to help you identify and fix vulnerabilities in order to pass PCI compliance. This report displays your overall PCI compliance status (PASS or FAIL), the PCI compliance status for each scanned host, and the vulnerabilities detected on each host.

How do I run it?

Go to VM/VMDR > Reports > Templates. Find the Payment Card Industry (PCI) Technical Report template and select Run from the Quick Actions menu.

Why don't I see this template?Why don't I see this template?

It's available only when the PCI compliance feature is enabled for your subscription.

Can I submit this report for PCI certification?

No. This report is not eligible for PCI certification, meaning that it cannot be submitted to your acquiring banks to demonstrate compliance with the PCI Data Security Standard.

Use the Share with PCI feature to share a PCI scan with your PCI Merchant account in order to generate a PCI network report and complete the required actions for PCI certification according to the latest PCI DSS requirements.

Tell me about the overall compliance status

The overall compliance status is PASS when all hosts in the report passed the PCI compliance requirements. The status is FAIL when at least one host in the report failed the PCI compliance requirements.

Tell me about the host's security risk rating

The host's security risk rating is equal to the highest severity level detected on the host. This is used when determining whether the host passed or failed.

Which vulnerabilities do I have to fix?

The vulnerabilities with the FAIL status must be remediated to pass the PCI compliance requirements. The vulnerabilities that do not show a PCI status are not in scope for PCI, but we do recommend that you remediate them in order of severity.

What criteria is used to determine compliance status?

We use the PCI severity level and other criteria, as defined by the PCI Security Standards Council, to determine whether a detected vulnerability passes or fails the PCI compliance requirements. Please note that the PCI severity level, based on CVSS score, is not the only criteria used to calculate a vulnerability's pass/fail status. A vulnerability may pass or fail PCI compliance based on the type of exploit. For example, a denial of service vulnerability will pass PCI compliance regardless of its CVSS score.

Tell me about the PCI severity levelTell me about the PCI severity level

The PCI severity level appears as: HIGH, MEDIUM or LOW. This severity is calculated based on the CVSS version 2.0 score assigned to the vulnerability.

CVSS v2 Score

Severity

Compliance

7.0 through 10.0

 High

Fail

4.0 through 6.9

 Medium

Fail

0.0 through 3.9

 Low

Pass

 

Tell me about the reasonsTell me about the reasons

The service lists reasons for passing or failing PCI compliance to help you understand the PCI compliance status. Note the service is compliant with the requirements in the PCI ASV Program Guide. Reasons are listed when the CVSS scoring feature is turned on for your subscription. Go to VM > Reports > Setup > CVSS to turn on this feature.

How do I download this report?

Go to File > Download from within the report to download and save your report as a PDF document. The service will automatically expand individual host details before saving your report.