Qualys PCI Pass/Fail Status Criteria
The calculation of the PCI Pass/Fail compliance status follows the PCI compliance standards set by the PCI Council. The criteria for PCI Pass/Fail compliance status implemented by the Qualys PCI solutions is calculated based on criteria listed in the table below.
- Vulnerabilities with a NIST CVSS v2.0 base score of either 4.0 or higher will cause PCI compliance to fail on the scanned IPs.
- Qualys will use the CVSSv2 score formula to calculate the severity and pass/fail status of any vulnerabilities that do not have a NIST-assigned CVSS score, or have a NIST CVSS score of 0.
- An IP will be considered non-compliant if the SSL version installed on it is limited to 2.0 or older.
- Vulnerabilities that may lead to SQL injection attacks and cross-site scripting will result in a non-compliant status on the corresponding IP.
- Vulnerabilities or mis-configurations that may lead to denial of service are not taken into consideration for PCI compliance.
- The PCI Technical Report will include a list of all vulnerabilities discovered, however the PCI vulnerabilities that drive the pass/fail criteria will be indicated as such.
- A number of new items such as the presence of obsolete software or database services will also cause automatic failure.