Document Comparison
ASV_Program_Guide_v3.2.pdf
→
ASV-Program-Guide-v3.2r1.pdf
93% similar
51 → 53
Pages
19960 → 20238
Words
6
Content Changes
Content Changes
6 content changes. 51 administrative changes (dates, page numbers) hidden.
Added
p. 32
• If the NVD entry for a specific CVE identifier includes a CVSSv3.1 score, the ASV must include the published CVSSv3.1 score in the report.
• If the NVD entry for the CVE identifier does not include a CVSSv3.1 score, the ASV must include the published CVSSv3.0 score in the report.
• If the NVD entry for the CVE identifier does not include either a CVSSv3.1 or CVSSv3.0 score, then the ASV must include the published CVSSv2.0 score in the report.
• Finally, if the NVD entry for the CVE identifier does not include any CVSS score (or there is no NVD entry for the CVE identifier) then the ASV must calculate a base score using CVSSv3.1 The use of the CVSS and CVE standards in conjunction with the NVD is intended to provide consistency across ASVs.
• If the NVD entry for the CVE identifier does not include a CVSSv3.1 score, the ASV must include the published CVSSv3.0 score in the report.
• If the NVD entry for the CVE identifier does not include either a CVSSv3.1 or CVSSv3.0 score, then the ASV must include the published CVSSv2.0 score in the report.
• Finally, if the NVD entry for the CVE identifier does not include any CVSS score (or there is no NVD entry for the CVE identifier) then the ASV must calculate a base score using CVSSv3.1 The use of the CVSS and CVE standards in conjunction with the NVD is intended to provide consistency across ASVs.
Modified
p. 31 → 32
1. The Common Vulnerability Scoring System (CVSS) version 2.0, which provides a common framework for communicating the characteristics and impact of IT vulnerabilities. The CVSS scoring algorithm utilizes a Base Metric Group, which describes both the complexity and impact of a vulnerability to produce a Base Score, which ranges between 0 and 10. The CVSS Base Score must, where available, be used by ASVs in computing PCI DSS compliance scoring.
1. The Common Vulnerability Scoring System (CVSS) provides a common framework for communicating the characteristics and impact of IT vulnerabilities. The CVSS scoring algorithm utilizes a Base Metric Group, which describes both the complexity and impact of a vulnerability to produce a Base Score, which ranges between 0 and 10.
Modified
p. 31 → 32
2. The National Vulnerability Database (NVD), which is maintained by the National Institute of Standards and Technology (NIST). The NVD contains details of known vulnerabilities based on the Common Vulnerabilities and Exposures (CVE) dictionary. The NVD has adopted the CVSS and publishes CVSS Base Scores for each vulnerability. ASVs should use the CVSS scores whenever they are available.
2. The National Vulnerability Database (NVD) is maintained by the National Institute of Standards and Technology (NIST). The NVD contains details of known vulnerabilities based on the Common Vulnerabilities and Exposures (CVE) dictionary. The NVD has adopted the CVSS and publishes CVSS Base Scores for each vulnerability.
Modified
p. 33 → 34
Note: When re-ranking a vulnerability’s risk assignment, ASVs are encouraged to utilize industry- recognized resources (such as the CVSS v3.0 Calculator), rather than arbitrarily or subjectively assigning numbers to vulnerabilities.
Note: When re-ranking a vulnerability’s risk assignment, ASVs are encouraged to utilize industry- recognized resources (such as the CVSS Calculator), rather than arbitrarily or subjectively assigning numbers to vulnerabilities.
Modified
p. 50 → 51
Part 3b. Special Notes by Component Component Special Note to Scan Customer 9 Item Noted Scan customer’s description of action taken and declaration that software is either implemented securely or removed w.x.y.116 HTTP directory listing Web Server All HTTP directory listing capabilities have been disabled per vendor support documentation. w.x.y.119 VPN detected Remote Access Software The VPN service is essential for conducting business and used to connect remote offices. The VPN service is securely implemented per vendor documentation and uses …
Part 3b. Special Notes to Scan Customer by Component 4 Component Special Note to Scan Customer 9 Item Noted Per section 7.2 of the ASV Program Guide, scan customer’s description of action taken and declaration that software is either needed for business and implemented securely, or removed w.x.y.116 HTTP directory listing Web Server All HTTP directory listing capabilities have been disabled per vendor support documentation. w.x.y.119 VPN detected Remote Access Software The VPN service is essential for conducting business and …
Modified
p. 51 → 52
IP Range: w.x.y.116
• w.x.y.128 Domain: company1.com Domain: company1.net URL: www.company1.com/payment Part 4b. Scan Customer Designated “In-Scope” Components (Scanned) IP Addresses/ranges/subnets, domains, URLs, etc. w.x.y.117, www. company1.com w.x.y.118, www.company1.net w.x.y.119, vpn.company1.com, remote.company1.com w.x.y.120, mail.company1.com Part 4c. Scan Customer Designated “Out-of-Scope” Components (Not Scanned) Requires description for each IP Address/range/subnet, domain, URL w.x.y.121, artwork.company1.com
• Scan customer attests to implementing segmentation via separate physical layer 2 switch with no connectivity to CDE. w.x.y.122 (not active)
• Scan customer attests that this IP address is …
• w.x.y.128 Domain: company1.com Domain: company1.net URL: www.company1.com/payment Part 4b. Scan Customer Designated “In-Scope” Components (Scanned) IP Addresses/ranges/subnets, domains, URLs, etc. w.x.y.117, www. company1.com w.x.y.118, www.company1.net w.x.y.119, vpn.company1.com, remote.company1.com w.x.y.120, mail.company1.com Part 4c. Scan Customer Designated “Out-of-Scope” Components (Not Scanned) Requires description for each IP Address/range/subnet, domain, URL w.x.y.121, artwork.company1.com
• Scan customer attests to implementing segmentation via separate physical layer 2 switch with no connectivity to CDE. w.x.y.122 (not active)
• Scan customer attests that this IP address is …
IP Range: w.x.y.116
• w.x.y.128 Domain: company1.com Domain: company1.net URL: www.company1.com/payment Part 4b. Scan Customer Designated “In-Scope” Components (Scanned) IP Addresses/ranges/subnets, domains, URLs, etc. w.x.y.117, www. company1.com w.x.y.118, www.company1.net w.x.y.119, vpn.company1.com, remote.company1.com w.x.y.120, mail.company1.com Part 4c. Scan Customer Designated “Out-of-Scope” Components (Not Scanned) Requires description for each IP Address/range/subnet, domain, URL w.x.y.121, artwork.company1.com
• Scan customer attests to implementing segmentation via separate physical layer 2 switch with no connectivity to CDE. w.x.y.122 (not active)
• Scan customer attests that this IP address is …
• w.x.y.128 Domain: company1.com Domain: company1.net URL: www.company1.com/payment Part 4b. Scan Customer Designated “In-Scope” Components (Scanned) IP Addresses/ranges/subnets, domains, URLs, etc. w.x.y.117, www. company1.com w.x.y.118, www.company1.net w.x.y.119, vpn.company1.com, remote.company1.com w.x.y.120, mail.company1.com Part 4c. Scan Customer Designated “Out-of-Scope” Components (Not Scanned) Requires description for each IP Address/range/subnet, domain, URL w.x.y.121, artwork.company1.com
• Scan customer attests to implementing segmentation via separate physical layer 2 switch with no connectivity to CDE. w.x.y.122 (not active)
• Scan customer attests that this IP address is …