There are upcoming maintenance events which may impact our services. Learn more

What is PCI False Positives? Print

  • 0

This answers the most common asked question.. I signed up with Host 99 or another host and the website says that our servers are PCI compliant. This is a true factor. All Host 99 servers are PCI compliant. Nevertheless, the ASV (Approved Scanning Vendor) ex: Security Metrics run scanners that can read or find false positives and with this scan determining the false positives, these vulnerabilities must be manually looked at by the ASV customer support to manually verify that the reported vulnerabilities are in deed false positives.

Sometimes vulnerability scans may identify a vulnerability in your environment that you believe is a false positive. If you have a vulnerability that you believe may be a false positive, contact your ASV such as Security Metrics, ControlScan. The security analysts in the ASV Security Operations Center will carefully review the vulnerability and assess whether or not it is a false positive.

What is a False Positive?

The ASV scanning solution must include an exhaustive fingerprinting scan on all transmission control protocol (TCP) and user data-gram protocol (UDP) ports.

Platform Independence Customer platforms are diverse. Each platform has strengths and weaknesses. The ASV solution must cover all commonly used platforms.

Accuracy
In addition to confirmed vulnerabilities, ASVs must report all occurrences of vulnerabilities that have a reasonable level of identification certainty. When the presence of a vulnerability cannot be determined with certainty, the potential vulnerability must be reported as such.

False Positives Management

The customer may point out to the ASV that vulnerabilities identified in the scanning report are false positives. In this case, the following is required:
• The ASV must assess the relevance of the customer statement and make a determination of adequacy. The report should be amended by the ASV as necessary
• The customer must not be permitted to edit the scanning report
• The ASV scan must not reduce the search space of any scan by discarding any previously reported false positives

Load Balancer
The ASV should obtain written assurance from the customer that the infrastructure behind the load balancers is synchronized in terms of configuration. The configuration and the customer’s assurance must be clearly documented in the scan report.
If the ASV cannot obtain customer assurance, the components must be individually scanned from an internal location (behind the load balancers).

If you have any questions regarding the false positives that are in your reports please contact your ASV for further information regarding these concerns.


Was this answer helpful?

Back