CoalfireOne℠ - Scans Newsletter

July 11, 2017 | Volume 7

PCI ASV 3.0 Program Guide

On June 19, 2017 Coalfire aligned with PCI DSS v3.2 and other PCI SSC program documents and to provide clarification in response to feedback from ASV, merchant/service provider and acquirer communities.

Coalfire recommends ASV customers to review the ASV 3.0 Program Guide to see what changes occured.

Major changes include:

  • Increased scan-report retention period from two years to three years to align with ASV Qualification Requirements evidence retention period.
  • Applicable Special Notes are now required to be filled in before being issued a passing scan report. Scans that return "Special Notes" is marked as a fail until the client submits Special Notes, and for an ASV to review them.

SSLv3 and Early TLS Update

Coalfire would like to remind all our customers which disputes will be accepted by the PCI DSS SSLv3 and Early TLS Mitigation and Migration Plan and which disputes will not be.

Vulnerabilities that will be accepted by the Risk Mitigation and Migration Plan

  • TLS Server Supports TLS version 1.0
  • TLS/SSL Server is enabling the BEAST attack
  • TLS/SSL Server is enabling the POODLE attack
  • S/SSL Server Supports SSLv3

Vulnerabilities that will not be accepted by the PCI DSS SSLv3/Early TLS Mitigation and Migration Plan and will either need to be remediated, have a compensating control in place (and provided) or prove to be a false positive.

  • TLS Session Renegotiation Vulnerability
  • TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)
  • TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566)

Other vulnerabilities that are similar may not have been listed. If you have any questions regarding which vulnerabilities need or do not need a Risk Mitigation and Migration Plan, please feel free to reach out to scandesk@coalfire.com

Have a question about CoalfireOne?

The ScanDesk is ready to help. M-F: 6 AM-6 PM MT
650-597-4510 | scandesk@coalfire.com

Did you know?

  • Per PCI guidelines, disputes can be accepted for a period no longer than 90 days. CoalfireOne has a “Disputes by Vulnerability” option to lighten the load of submitting disputes from quarter to quarter.
  • Timely dispute response. Once a dispute is submitted, you will receive information if the dispute has been accepted or rejected within 5 business days. If the disputes have been rejected, a detailed explanation will be provided by a CoalfireOne representative.

<< Go Back

 

Friendly Reminders

Scan at least Monthly

  • Vulnerabilities are discovered every day. Coalfire recommends you to run automatic scans at least monthly, so you’ll always have the current vulnerability information for your hosts. This also allows those who complete ASV scans to identify vulnerabilities on hosts sooner, allowing for time to remediate before the end of the 90-day period.
Removal of SSL and early TLS
  • “SSL and early TLS have been removed as an example of strong cryptography in the PCI DSS. These protocols will no longer protect cardholder data – and can no longer be used as a security control after June 30, 2016 or June 20, 2018 for Merchants.” – PCI Council.
  • Even though the migration deadline for early TLS is June 20, 2018, a mitigation and migration plan is required to be in place now. As your ASV, a dispute will not be approved unless a migration and mitigation plan has been attested to.

CoalfireOne standard maintenance windows:

Every other Monday
4-6:30 PM PT

Every Thursday
12-3 PM PT