AnsweredAssumed Answered

Why is CVSS base score of 4.x is considered a "PCI Pass"?

Question asked by Sec Noob on Jul 14, 2015
Latest reply on Jul 29, 2015 by Bernie Weidel

According to PCI Requirement 11.2.2 and 11.2.3, vulnerabilities rated 4.0 or higher by CVSS should result in Failure of PCI compliance. Here is the ASV guide explaining PCI Pass/Fail criteria on page 23. Based on this facts, why would the below image which outlines the "SSL/TLS use of weak RC4 cipher" vulnerability with PCI Severity of Medium and CVSS Base Score of 4.3, considered a Pass? The below result is from a scan that occurred two weeks ago from this posting date.


Please advise.


qualys pci scoring.png