Dispute Reasons

Before you submit your Tenable PCI ASV attestation for review, you may want to dispute detected failures in the Tenable PCI ASV scan. When you dispute a failure, you must select an appropriate reason and provide an explanation.

When filing a Tenable PCI ASV dispute, you can select one of the following reasons:

  1. False Positive
  2. Compensating Controls
  3. Exception

False Positive

It’s possible that after patching or fixing all reported vulnerabilities, as defined by the PCI DSS compliance standards, you have a failure in your scan report that doesn’t apply to the host. False positives can occur due to rapid changes in vendor-specific updates or backported patches that aren't easily detected by banner checks.

For example, a scan may report that a critical patch is missing from a host; however, the patch is actually installed. If a false positive occurs, you can provide proof of the false positive by uploading a screen capture, configuration file, or other supporting data as evidence. Evidence must be accompanied by a description of when, where, and how the evidence was obtained.

Compensating Controls

Compensating controls may be considered for most PCI DSS requirements if, due to legitimate technical or documented business constraints, you cannot meet a requirement as stated. You can, however, sufficiently mitigate the risk associated with the requirement through implementation of other, or compensating, controls.

Compensating controls must satisfy the following criteria:

  • They must meet the intent and rigor of the original PCI DSS requirement.
  • They must provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against.
    Tip: You can check the Guidance Column for the intent of each PCI DSS requirement in the Payment Card Industry (PCI) Data Security Standard specification document.
  • They must go "above and beyond" other PCI DSS requirements. Simply being compliant with other PCI DSS requirements does not constitute a compensating control.

For example, if you are unable to render cardholder data unreadable per Requirement 3.4 (for example, by encryption), a compensating control could consist of a device or combination of devices, applications, and controls that address all of the following:

  • internal network segmentation
  • IP address or MAC address filtering
  • one-time passwords

Note: The Payment Card Industry (PCI) Data Security Standard specification document provides a compensating controls worksheet in Appendix C.

Exception

A dispute can still be filed for a failure that is not a false positive or if compensating controls are not in place. An exception must be supported by evidence that the failure does not pose a risk to the Cardholder Data Environment (CDE). Common exceptions include disputed CVSS base scores or PCI ASV scans that cannot be completed due to scan interference.