What are Special Notes and why are they required?
PCI-DSS can be challenging to navigate – particularly when it comes to the ASV scanning requirements. While fulfilling the scanning requirement is easy, obtaining a passing attestation report may involve more than simply remediating failed findings. One requirement that we receive many questions about is Special Notes.
Special Notes are to be used to disclose the presence of certain software or configurations that may pose a risk to the scan customer’s environment due to insecure implementation rather than an exploitable vulnerability. Scan customers must include the following information when submitting Special Notes:
- Declared business need for the software
- Scan customer's description of action taken and declaration that software is either implemented securely or removed
How do I know if I have to submit Special Notes?
If your ASV scan requires Special Notes, you will see the following message within the portal:
Click the “incomplete special hosts” link shown in the image below:
The Special Hosts tab will show you which hosts require Special Notes as well as the port and protocol information. Once you click the “Edit Note” tab, you will be able to submit your Special Notes.
How to submit Special Notes correctly
The following is an example of the correct format for submitting Special Notes within the portal:
Key aspects to pay attention to here are:
- “Item Noted,” which will provide you with information on the software type detected
- You will need to confirm whether the software is implemented securely by selecting “Yes” or “No”
- The declaration statement should describe the business need and relevant details, confirming that the software is securely implemented
Once all Special Notes are completed and there are no failed findings for the scan, you will see the following message in the portal:
SLA for Special Notes
Once you have entered and saved all required Special Notes, they are submitted to our ticketing queue. Like disputes, the SLA for Special Notes is five business days. However, we do our best to review and approve them within 24 hours.
When the scan is “Complete/PASS”
You will see the scan in a pass state when all failing vulnerabilities have been remediated/disputed and all completed Special Notes have been approved by a Coalfire ASV.
Special Notes are a requirement per section 7.2 of the PCI DSS ASV Program guide v3.1 and must be submitted and accepted by a Coalfire ASV before you can receive a passing attestation.
Once approved, Special Notes are valid for one year for the specified target IP address and port and will not need to be re-submitted for any additional scan schedules run within the one-year exception period.
As always, your CoalfireOne Scanning Services Team is here to answer any additional questions you may have regarding Special Notes. Contact us via email at firstname.lastname@example.org; we are available M-F from 6am-6pm MT.