It's possible after fixing all vulnerabilities that you have an issue that doesn't seem to apply to the host. In this circumstance, you may request an exception that will be considered by us as a false positive. If a false positive request is approved, the vulnerability will not cause you to fail PCI compliance for 90 days. Note you must re-submit false positive requests every quarter as per the requirements outlined in the PCI Data Security Standard.
Before making a false positive request, complete all remediation steps to fix vulnerabilities and take these actions:
1) Work with your system administrator to fix all vulnerabilities using the recommended solutions. A custom solution is provided for each vulnerability in the vulnerability details.
2) Be sure to fix all vulnerabilities except the false positive issues. Your last rescan should show only the false positive issues.
If you believe that the PCI compliance service has identified a false positive, then submit a false positive request by going to Network > Vulnerabilities. Select the check box next to vulnerabilities you want to submit and then click "Review False Positives" to complete the request. A Technical Support representative will work with you to confirm the issue is indeed a false positive. Once approved, the false positive is approved for 90 days and this will not appear in your vulnerabilities list or in your reports.
Reasons for requesting a false positiveReasons for requesting a false positive
You are required to provide a reason for your false positive request on each selected vulnerability. Your reason should include steps taken to verify that it is a false positive. To enter one reason for multiple false positives, select "Use same comment for all the following requests".
For a false positive that was previously approved but expired, the explanation provided in the original request appears automatically for your convenience. You can keep the text or overwrite it.
What happens if my request is approved?What happens if my request is approved?
If the false positive request is approved, it is approved for 90 days. As a result, the service automatically updates vulnerability and compliance status information in these ways:
Scan Results Reports: The vulnerability for the host is removed from the Scan Results Report returned by the most recent host scan. Also, the vulnerability for the host will not show up in future scan results for the host for the next 90 days.
Current Vulnerabilities: The vulnerability for the host is removed from the Current Vulnerabilities list.
Compliance Status: The Compliance Status section is updated to show that the vulnerability for the host will not cause you to fail PCI compliance.
PCI Network Reports: The next time you generate PCI network reports from the Compliance Status section, the reports indicate that the vulnerability for the host does not cause you to fail PCI compliance. In the PCI Technical Report you'll see the vulnerability for the host listed as a false positive in the "Approved False Positives Details" appendix.
It is best practice to track the false positive status of your approved false positives and to submit new false positive requests as needed.
What happens if my request is rejected?What happens if my request is rejected?
If the false positive request is not approved, you must fix the vulnerability in order to pass PCI compliance standards. Remediation steps are provided in the Solution section of the Vulnerability Details (Network > Vulnerabilities).
Why are vulnerability check boxes grayed out?Why are vulnerability check boxes grayed out?
Check boxes appear only for vulnerabilities that must be fixed to pass PCI compliance. You cannot create a false positive request for a vulnerability that is not required to pass PCI compliance.
Each approved false positive is valid for 90 days. After 90 days, the approved false positive will expire automatically. The next time you run a network scan after a false positive expires, if the QID is detected on the host, you will fail PCI compliance. The vulnerability will be listed on the Current Vulnerabilities list with an indicator that there is an expired false positive associated with the vulnerability. A new false positive request must be submitted and approved to pass PCI compliance.
It is best practice to track the false positive status of your approved false positives and to submit new false positive requests as needed. See Searching False Positives to learn how to search for false positives that are already expired and false positives that are about to expire soon.