Have you gotten an email from your PCI DSS security scanning vendor saying that you’ve failed your most recent vulnerability scan? And, oh, by the way, you’ve got a month to fix it to get back into compliance? Yikes!

The good news is that a lot of the failure notices are possibly false positives. That is, you’ve been flagged for things that don’t apply to you. That’s good because there’s nothing you need to do to fix it except let your scanning vendor know that it doesn’t apply and the vulnerability has been mitigated. More good news: fixing the real issues is usually pretty easy.

The bad news is that there’s no easy way to tell which ones are false positives and which ones are real; and there’s no easy way to tell what you have to do to fix each of the issues. Scanning reports have notices that read like word soup:

If you have a dedicated IT staff, you should be able to give this report to them and they can go through the failures one by one, find out what caused the failure, and let you know your options. That process will involve some research (each of the CVE numbers represents a document describing the security vulnerability in detail) and cross-checking of the software installed on your server. Hopefully, they come back and say that they’re all false positives because you’ve already applied all of the relevant patches. In other cases, they may need to apply a security patch or update to your server which may require some downtime.

If you don’t have an IT staff or you don’t know what to do… don’t panic. That’s why I wrote this! Contact me and together we’ll get you back into compliance in no time.