PCI DSS Compliance : Handling False Positives
Info Nessus Plugin ID 60020
SynopsisNotes the proper handling of false positives in PCI DSS scans.
DescriptionNote that per PCI Security Standards Council (PCI SSC) standards, if the version of the remote software is known to contain flaws, a vulnerability scanner must report it as vulnerable. The scanner must still flag it as vulnerable, even in cases where a workaround or mitigating configuration option is in place. This will result in the scanner issuing false positives by PCI SSC design.
It is recommended that any workarounds and mitigating configurations that are in place be documented including technical details, to be presented to a third-party PCI auditor during an audit.