Disputes

In a PCI ASV (Approved Scanning Vendor) attestation, the dispute process is the formal mechanism used to address scan failures that a customer believes are inaccurate or mitigated. Because a passing PCI report requires all vulnerabilities with a CVSS score of 4.0 or higher to be resolved, disputes allow you to justify why certain findings should not prevent a "Pass" status.

The primary goal of a dispute is to provide a technical and business justification for a scan failure, which is then reviewed and either accepted or rejected by an ASV certified security engineer.

The most common reasons for creating a dispute include:

• False Positives: The scanner incorrectly identified a vulnerability that does not actually exist on the target asset (e.g., a version-based check that does not account for a backported security patch).

• Compensating Controls: A vulnerability exists, but the risk is mitigated by other security measures already in place (e.g., a web application firewall (WAF) that blocks the specific attack vector).

• Disputed Severity: You believe the CVSS score assigned to a finding is incorrect based on the specific configuration of your environment.

Manage Disputes

After you create a dispute, you can edit, clone, or delete the dispute as needed. For more information, see Manage Disputes.