Criteria for PCI Pass/Fail Status
The calculation of the PCI Pass/Fail compliance status follows the PCI compliance standards set by the PCI Council. The criteria for PCI Pass/Fail compliance status implemented by the QualysGuard PCI solutions is calculated based on criteria listed in the table below.
QualysGuard PCI Pass/Fail Status Criteria
Vulnerabilities with a NIST CVSS v2.0 base score of either 4.0 or higher will cause PCI compliance to fail on the scanned IPs.
Qualys will use the CVSSv2 score formula to calculate the severity and pass/fail status of any vulnerabilities that do not have a NIST-assigned CVSS score, or have a NIST CVSS score of 0.
An IP will be considered non-compliant if the SSL version installed on it is limited to 2.0 or older.
Vulnerabilities that may lead to SQL injection attacks and cross-site scripting will result in a non-compliant status on the corresponding IP.
Vulnerabilities or mis-configurations that may lead to denial of service are not taken into consideration for PCI compliance.
The PCI Technical Report will include a list of all vulnerabilities discovered, however the PCI vulnerabilities that drive the pass/fail criteria will be indicated as such.
A number of new items such as the presence of obsolete software or database services will also cause automatic failure.
