PCI DSS Compliance : Handling False Positives

Info Nessus Plugin ID 60020


Notes the proper handling of false positives in PCI DSS scans.


Note that per PCI Security Standards Council (PCI SSC) standards, if the version of the remote software is known to contain flaws, a vulnerability scanner must report it as vulnerable. The scanner must still flag it as vulnerable, even in cases where a workaround or mitigating configuration option is in place. This will result in the scanner issuing false positives by PCI SSC design.

It is recommended that any workarounds and mitigating configurations that are in place be documented including technical details, to be presented to a third-party PCI auditor during an audit.



Plugin Details

Severity: Info

ID: 60020

File Name: pci_false_positive_exp.nasl

Version: 1.1

Type: summary

Published: 2012/07/18

Modified: 2012/07/05

Dependencies: 56209

Risk Information

Risk Factor: Info