PCI 3.2 Compliance Report

The PCI 3.2 Compliance report documents compliance with the Payment Card Industry’s Data Security Standard (PCI-DSS Version 3.2), which includes requirements that web applications be built to secure coding guidelines and that applications be subject to routine vulnerability checks.

List of Sites

The PCI 3.2 Compliance Report provides a list of sites included in this report, shown below.

pci compliance list of assets
Sites are marked as compliant or not compliant based on passing or not passing the tests that are performed at that service level. True PCI compliance is dependent on all tests being performed. Sites at the BE or SE service levels cannot be described as fully PCI compliant based on the BE or SE testing. However, they will be described as compliant in this table if the tests performed passed.

PCI Compliance Summary

This table lists the requirements specified by the PCI-DSS for Web applications, and whether your site complies with each requirement (6.5.1 - 6.5.10).

pci compliance table
This report is extremely useful for those cases when it is necessary for you to demonstrate that a site is PCI-compliant.

Open Vulnerabilities

Listed below in the table are the open vulnerabilities for this site.

pci open vuln table

Appendix PCI-DSS Requirements

The PCI 3.2 Compliance report documents compliance with the latest PCI-DSS (3.2) requirements as follows:

  • 6.5.1: Injection Flaws

  • 6.5.2: Buffer Overflow

  • 6.5.3: Insecure Cryptographic Storage

  • 6.5.4: Insecure Communications

  • 6.5.5: Improper Error Handling

  • 6.5.6: All 'High' Vulnerabilities identified (PCI-DSS Requirement 6.2)

  • 6.5.7: Cross Site Scripting

  • 6.5.8: Improper Access Control

  • 6.5.9: Cross Site Request Forgery

  • 6.5.10: Broken Authentication and Session Management

The report contains appendix pages for each requirement, these appendix pages include,

  • Environments Affected

  • Vulnerability

  • Verifying Security

  • Protection

  • Samples

  • Related Articles

  • How to Protect Yourself

  • References

Appendix - Vulnerability Level Definitions (by Risk)

This section details how the vulnerability levels are defined. Risk Levels for the WhiteHat Sentinel Source solution are based on the OWASP risk rating methodology, based on the standard risk model (Risk = Likelihood x Impact) with several factors contributing to the likelihood and impact. The following tables show how the vulnerability ratings are calculated in The PCI 3.2 Compliance Report.

impact level table

The Impact can be broken down into the Technical Impact and Business Impact.

  • Technical impact considers the traditional areas of security: confidentiality, integrity, availability, and accountability.

  • The business impact stems from the technical impact and considers things such as: financial damage, reputational damage, non-compliance, and privacy violations.

After scoring the Likelihood and Impact, the Risk Rating is determined using the following table:

likelihood level table

Risk ratings are defined below:

risk level table

For more information on generating reports, please see The WhiteHat Portal Menu - Reports.