PCI Security Standards Council Mandates New Vulnerability Scoring

I recently learned that all Approved Scanning Vendors (ASVs) are required to use version 2 of the Common Vulnerability Scoring System (CVSS). Starting July 1, 2008, version 2 will be the new industry standard and all scans will be scored using this system.

Many of the ASVs that I have experience with continue to fail scans based upon false positives. Although PCI DSS requirement 11.3.1 necessitates a network-layer penetration test to be performed at least once a year and after any significant infrastructure upgrade or modification, the automated quarterly vulnerability scans will still show a compliance failure even if the flagged vulnerability is a false positive.

It'll be interesting to see how many merchants will move from compliance status of compliant to non-compliant after July 1.