CoalfireOne Special Notes

Erica Woods, Associate, Commercial Services, Vulnerability Assessments and Scanning, Coalfire

What are Special Notes and why are they required?

PCI-DSS can be challenging to navigate – particularly when it comes to the ASV scanning requirements. While fulfilling the scanning requirement is easy, obtaining a passing attestation report may involve more than simply remediating failed findings. One requirement that we receive many questions about is Special Notes.

Special Notes are to be used to disclose the presence of certain software or configurations that may pose a risk to the scan customer’s environment due to insecure implementation rather than an exploitable vulnerability. Scan customers must include the following information when submitting Special Notes:

  • Declared business need for the software


  • Scan customer's description of action taken and declaration that software is either implemented securely or removed

How do I know if I have to submit Special Notes?

If your ASV scan requires Special Notes, you will see the following message within the portal:

Click the “incomplete special hosts” link shown in the image below:

The Special Hosts tab will show you which hosts require Special Notes as well as the port and protocol information. Once you click the “Edit Note” tab, you will be able to submit your Special Notes.

How to submit Special Notes correctly

The following is an example of the correct format for submitting Special Notes within the portal:

Key aspects to pay attention to here are:

  • Item Noted,” which will provide you with information on the software type detected 
  • You will need to confirm whether the software is implemented securely by selecting “Yes” or “No”
  • The declaration statement should describe the business need and relevant details, confirming that the software is securely implemented

Once all Special Notes are completed and there are no failed findings for the scan, you will see the following message in the portal:

SLA for Special Notes

Once you have entered and saved all required Special Notes, they are submitted to our ticketing queue. Like disputes, the SLA for Special Notes is five business days. However, we do our best to review and approve them within 24 hours.

When the scan is “Complete/PASS”

You will see the scan in a pass state when all failing vulnerabilities have been remediated/disputed and all completed Special Notes have been approved by a Coalfire ASV.


Special Notes are a requirement per section 7.2 of the PCI DSS ASV Program guide v3.1 and must be submitted and accepted by a Coalfire ASV before you can receive a passing attestation.

Once approved, Special Notes are valid for one year for the specified target IP address and port and will not need to be re-submitted for any additional scan schedules run within the one-year exception period.
As always, your CoalfireOne Scanning Services Team is here to answer any additional questions you may have regarding Special Notes. Contact us via email at; we are available M-F from 6am-6pm MT.

Erica Woods


Erica Woods — Associate, Commercial Services, Vulnerability Assessments and Scanning, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS