CoalfireOne℠ - Scans Newsletter

January 2018 | Volume 9

Appropriate Dispute Comments

The ASV team here at Coalfire wants to enable our scanning clients to get their disputes accepted the first time around, and to lessen the back-and-forth-review process. Dispute comments should provide a somewhat detailed explanation regarding what is being disputed, as well as what the associated evidence is trying to explain. Here are some examples of what cannot be accepted as dispute comments, based upon PCI SSC guidelines, which ASVs are required to adhere to:

  • “False Positive. See evidence”
  • “See attached evidence”
  • “We have controls in place”
  • “We have accepted this risk”

The information submitted in dispute comments, once accepted, is populated word-for-word into the associated Detail and Summary Reports. Additionally, if the dispute comments are too vague, this will leave many questions to the whomever is reviewing disputes within the associated reporting. Therefore, ASV scanning clients should also leave out comments that are not related to what is being disputed. Here are some examples of what should be left out.

  • “This dispute has been accepted before”
  • “This is a repeat dispute”
  • “Why does this keep showing up”

If you have any questions regarding what is acceptable when submitting a dispute, please feel free to reach out to scandesk@coalfire.com.

Training and Help Section

Need a refresher on how to submit a dispute or maybe how to provide evidence? Look no further! Coalfire provides user guides as well as training videos on various functions within CoalfireOne.

You can find the Training and Help Section by clicking here.

Past Newsletters and Events

If you've missed our previous CoalfireOne Scans Newsletters, you can find them as well as other Coalfire related news and events by clicking here.

Have a question about CoalfireOne?

The ScanDesk is ready to help. M-F: 6 AM-6 PM MT
650-597-4510 | scandesk@coalfire.com

Did you know?

  • Per PCI guidelines, disputes can be accepted for a period no longer than 90 days. CoalfireOne has a “Disputes by Vulnerability” option to lighten the load of submitting disputes from quarter to quarter.
  • Timely dispute response. Once a dispute is submitted, you will receive information if the dispute has been accepted or rejected within 5 business days. If the disputes have been rejected, a detailed explanation will be provided by a CoalfireOne representative.

<< Go Back

Friendly Reminders

Scan at least Monthly

  • Vulnerabilities are discovered every day. Coalfire recommends you to run automatic scans at least monthly, so you’ll always have the current vulnerability information for your hosts. This also allows those who complete ASV scans to identify vulnerabilities on hosts sooner, allowing for time to remediate before the end of the 90-day period.

Removal of SSL and early TLS

  • “SSL and early TLS have been removed as an example of strong cryptography in the PCI DSS. These protocols will no longer protect cardholder data – and can no longer be used as a security control after June 30, 2016 or June 20, 2018 for Merchants.” – PCI Council.
  • Even though the migration deadline for early TLS is June 20, 2018, a mitigation and migration plan is required to be in place now. As your ASV, a dispute will not be approved unless a migration and mitigation plan has been attested to.

CoalfireOne standard maintenance windows:

Every other Monday
4-6:30 PM PT

Every Thursday
12-3 PM PT