PCI Pass/Fail Criteria

The calculation of the PCI pass/fail compliance status in PCI reports follows the PCI compliance standards set by the PCI Security Standards Council.

For each vulnerability, the PCI compliance service uses the CVSS version 2.0 base score provided by NIST to determine whether the  vulnerability must be fixed to pass PCI compliance requirements. When a CVSS version 2.0 score is not available from NIST, the service provides a CVSS 2.0 score and uses that score to determine whether the vulnerability must be fixed.

The CVSS version 2.0 score is mapped to a PCI severity level for each vulnerability according to the requirements from the PCI Security Standards Council.

Important: The service uses the PCI severity level and other criteria, as defined by the PCI Security Standards Council, to determine whether a detected vulnerability passes or fails the PCI compliance requirements. Please note that the PCI severity level, based on CVSS score, is not the only criteria used to calculate a vulnerability's pass/fail status. A vulnerability may pass or fail PCI compliance based on the type of exploit. For example, a denial of service vulnerability will pass PCI compliance regardless of its CVSS score.

PCI Severity Levels

A PCI severity level of High, Medium or Low, which is based on the CVSS score, is assigned to the vulnerability. This easy-to-understand ranking should assist you when prioritizing remediation tasks.

See the table below for PCI severity levels based on CVSS scores.

Related Reading

Payment Card Industry (PCI) Compliance

Payment Card Industry (PCI) Technical Report

Vulnerability Severity Levels