What does compliant mean?
Companies that meet all PCI DSS security requirements that apply to them are considered PCI DSS compliant.
This means that these companies are protected by the so-called "safe harbor rule" as long as they demonstrably comply with the requirements. This means that in the event of data theft or misuse, the company can expect partial or full exemption from fines from the credit card organizations or their acquirer after analysis by a forensic expert.
Why are there watermarks with "Scan Report not confirmed" on my reports?
The watermarks are used as long as the scan is in "fail" status or in "compliant" status, but not yet formally completed. A scan in "compliant" status requires a final (formal) confirmation from you. To do this, please use the button "Confirm scan", which you can find within the function selection of your current scan.
Is TLSv1.0 or TLSv1.1 considered PCI DSS compliant?
No, you must disable this protocol. As of March 31, 2021, Transport Layer Security (TLS) versions 1.0 (RFC 2246) as well as 1.1 (RFC 4346) are formally considered obsolete. The newer versions 1.2 and/or 1.3 should be used instead.
Note: The TLSv1.1 protocol itself currently has no exploitable vulnerabilities. However, some vendor implementations of TLSv1.1 have vulnerabilities that may be exploitable.
Can confirmed false positives be removed from reports?
No, false positives cannot be removed from reports. Please note that the removal of false positives is not explicitly permitted by the PCI DSS.
Links Rejected By Crawl Scope or Exclusion List (keyword "embedded links") - However, the excluded links list is empty. How can the vulnerability be fixed?
This is a false positive. Please enter this information in the comment field of the finding (in English).
Path-Based Vulnerability - Web Directory Browsing does not take place. How can the vulnerability be fixed?
This is a false positive. Please enter this information in the comment field of the finding (in English).
http Proxy Supports non-http Protocols 62003 - How can the vulnerability be fixed?
In this case, the scanner has detected an HTTP proxy that allows protocols besides HTTP, such as dict, ftp or gopher. If this is not a false positive and these protocols are not needed, you should disable them in the proxy settings (vendor specific).
Possible Scan Interference - How can the vulnerability be fixed?
We recommend that you perform a rescan. If the problem persists after manually checking all settings, please enter this issue as a false positive in the comment field of the finding (in English).
not alive - No Vulnerabilities were found for this Component - How can the vulnerability be fixed?
In this case, the scanner could not detect the specified system. Make sure that requests are not blocked by a firewall. Additionally, you can schedule a rescan and select the "Without prior ping test (slow)" option in the scan profile.
Certificate SHA1 Signature Collision Vulnerability - However, the certificate does not use SHA1. How can the vulnerability be fixed?
The complete certificate chain is considered here. If only the root certificate uses the SHA1 algorithm, please add a false positive comment.
server stopped responding - How can the vulnerability be fixed?
There can be several reasons for this. Please check if the scanner was blocked by an active firewall or if the target system was overloaded and became unreachable.
We have received the finding "Session Cookie Does Not Contain the 'Secure' Attribute". However, the set cookie is only used for load balancer allocation - How can the vulnerability be fixed?
The scanner has detected that the cookie is missing the Secure attribute. If the cookie in question is neither a session cookie nor any other form of sensitive information, you can comment this as a false positive (in English).