As you may have noted, nCircle recently introduced our Certified PCI Scan Service, which means that we achieved certification as an Approved Scanning Vendor from the PCI Security Standards Council.
One of the requirements of PCI is that we score vulnerabilities according to their standards. You can read about them in detail here, but the gist is this table from the Technical and Operational Requirements for ASVs:
Anything scoring a 3 or greater constitutes a non-compliant system and therefore a non-compliant customer. As of June 30, 2007, PCI is changing the scoring criteria to use CVSS instead of their ranking system, as noted in the same Technical and Operational Requirements for ASVs. The use of an external standard is an improvement, but I'm confused about one particular note in the requirements (pg 4-11):
Does anyone else read that last bullet point as saying that Denial of Service conditions will no longer constitute a non-compliant system? In the current ranking system, DoS falls clearly into category 3, which is non-compliant. Is PCI following OpenBSD or vice versa?
