PCI DSS Compliance : Handling False Positives

This script is Copyright (C) 2012 Tenable Network Security, Inc.


Synopsis :

Notes the proper handling of false positives in PCI DSS scans.

Description :

Note that per PCI Security Standards Council (PCI SSC) standards, if
the version of the remote software is known to contain flaws, a
vulnerability scanner must report it as vulnerable. The scanner must
still flag it as vulnerable, even in cases where a workaround or
mitigating configuration option is in place. This will result in the
scanner issuing false positives by PCI SSC design.

It is recommended that any workarounds and mitigating configurations
that are in place be documented including technical details, to be
presented to a third-party PCI auditor during an audit.

Solution :

n/a

Risk factor :

None

Family: Policy Compliance

Nessus Plugin ID: 60020 ()

Bugtraq ID:

CVE ID: