IDG Answers is a community of experts who are passionate about technology. Ask a question or answer one below.
I would agree with the answers provided for external scans.
For internal scans, it specifically states High vulnerabilities. We use bullet C as a baseline or remediating anything with a CVSS Score of 7 or higher.
NVD CVSS v2 Vulnerability Severity Ratings
A. Vulnerabilities are labeled "Low" severity if they have a CVSS base score of 0.0-3.9.
B. Vulnerabilities will be labeled "Medium" severity if they have a base CVSS score of 4.0-6.9.
C. Vulnerabilities will be labeled "High" severity if they have a CVSS base score of 7.0-10.0.
You can run a free internal PCI scan on a Macs or PC within a few seconds at www.iscanonline.com without registration or downloading software.
You need to have a score from 0.0 through 3.9 to be compliant.
From the PCI Security Standards Council:
“To demonstrate compliance, a scan must not contain highlevel vulnerabilities in any
component in the cardholder data environment. Generally, to be considered compliant, none of those components may contain any vulnerability that has been assigned a Common Vulnerability Scoring System (CVSS) base score equal to or higher than 4.0.”
Here is a quick reference guide (free pdf download) that you might find useful in the future: