CoalfireOne℠ - Scans Notification

June 2017

PCI ASV 3.0 Program Guide - "Special Notes"

Barring any urgent vulnerability checks that may be released prior, as of June 19, 2017, Coalfire's ASV process will be aligning with PCI DSS v3.2 and other PCI DSS program documents. Applicable "Special Notes" are now required to be filled in before being issued a passing scan report.

Prior to the release date, process and help documentation surrounding Special Note will be available to all customers by clicking here.

What are “Special Notes”?
Special Notes are to be used to disclose the presence of certain software or configuration that may pose a risk to the scan customer’s environment due to insecure implementation rather than an exploitable vulnerability. Scan customers must include the following information within their special notes:

  • Declared business need for the software
  • and/or
  • Scan customer's description of action taken and declaration that software is either implemented securely or removed

What does this mean for scan customers?

Coalfire ASVs must ensure that an applicable and relevant scan customer declaration is provided for each Special Note before issuing a passing scan report. Within CoalfireOne, customers will see varying messages depending on the results from their scan:

  • When the ASV scan has at least one incomplete special host, the customer will see the following language in the UI:
    • “Remediate and/or dispute all failing vulnerabilities and complete all special hosts. Coalfire will not be notified this scan is ready for review until all Special Notes are complete and zero failing vulnerabilities exist. Per the ASV 3.0 requirements regarding special hosts: "The ASV must declare a report as FAILED until all applicable scan customer declarations have been obtained and reviewed by the ASV.".
  • When the customer remediates/disputes all failing vulnerabilities and completes all Special Notes, the customer will see the following in the UI:
    • "Coalfire is currently reviewing Special Notes. If Coalfire needs further clarity on a Special Note, a scan analyst will contact you via email. If all Special Notes are satisfactory, Coalfire will move this scan into a passing state."
  • When the scan is “Complete/PASS”
    • You will see the scan in a pass state when all failing vulnerabilities have been remediated/disputed and all completed Special Notes have been approved by Coalfire.

If you have any questions regarding the new Special Notes process please feel free to contact scandesk@coalfire.com or review the ASV Program Guide v3.0 by clicking here

Have a question about CoalfireOne?

The ScanDesk is ready to help. M-F: 6 AM-6 PM MT
650-597-4510 | scandesk@coalfire.com

<< Go Back

 

Friendly Reminders

Scan at least Monthly

  • Vulnerabilities are discovered every day. Coalfire recommends you to run automatic scans at least monthly, so you’ll always have the current vulnerability information for your hosts. This also allows those who complete ASV scans to identify vulnerabilities on hosts sooner, allowing for time to remediate before the end of the 90-day period.
Removal of SSL and early TLS
  • “SSL and early TLS have been removed as an example of strong cryptography in the PCI DSS. These protocols will no longer protect cardholder data – and can no longer be used as a security control after June 30, 2016 or June 20, 2018 for Merchants.” – PCI Council.
  • Even though the migration deadline for early TLS is June 20, 2018, a mitigation and migration plan is required to be in place now. As your ASV, a dispute will not be approved unless a migration and mitigation plan has been attested to.

CoalfireOne standard maintenance windows:

Every other Monday
4-6:30 PM PT

Every Thursday
12-3 PM PT