Quick scan button on a blue background

How to Fix CVE Vulnerabilities

by

How to Fix CVE Vulnerabilities Found in Your PCI Scan

Introduction

What You’ll Learn

In this guide, you’ll discover how to identify, understand, and fix CVE vulnerabilities that appear in your PCI compliance scans. We’ll break down the technical jargon into simple terms and provide a clear roadmap for addressing these security issues.

Why This Matters

If you accept credit cards, PCI compliance isn’t optional—it’s mandatory. When your quarterly vulnerability scan flags CVE issues, fixing them quickly protects your business from data breaches, hefty fines, and damaged reputation. More importantly, it keeps your customers’ payment information safe.

Who This Guide Is For

This guide is perfect for small to medium-sized business owners, IT managers, and anyone responsible for PCI compliance who feels overwhelmed by vulnerability scan results. No advanced technical knowledge required—we’ll explain everything in plain English.

The Basics

Core Concepts Explained Simply

CVE (Common Vulnerabilities and Exposures) is like a universal catalog of known security weaknesses in software. Think of it as a public list of “broken locks” that hackers know about. Each CVE has a unique ID number (like CVE-2023-12345) that identifies a specific security problem.

PCI Vulnerability Scans are automated security checkups required every 90 days. These scans look for known vulnerabilities in your systems that could let attackers steal credit card data.

CVSS Scores rate how serious each vulnerability is on a scale of 0-10:

  • 0-3.9: Low severity (like a loose doorknob)
  • 4.0-6.9: Medium severity (like a weak lock)
  • 7.0-8.9: High severity (like a broken door)
  • 9.0-10: Critical severity (like no door at all)

Key Terminology

  • Patch: A software update that fixes security problems
  • False Positive: When a scan incorrectly identifies a problem that doesn’t actually exist
  • Compensating Control: An alternative security measure when you can’t immediately fix a vulnerability
  • ASV (Approved Scanning Vendor): Companies authorized by PCI to perform official compliance scans

How It Relates to Your Business

Every business that processes credit cards must pass quarterly vulnerability scans. If your scan finds CVEs with scores of 4.0 or higher, you’ll fail the scan and risk losing your ability to accept credit cards. Fixing these vulnerabilities keeps your business running and your customers protected.

Why It Matters

Business Implications

Failed PCI scans can lead to:

  • Increased processing fees from your payment provider
  • Suspension of credit card processing abilities
  • Mandatory forensic audits costing $10,000-$100,000
  • Customer lawsuits if a breach occurs
  • Damaged reputation that takes years to rebuild

Risk of Non-Compliance

Beyond the immediate business impacts, unpatched CVEs leave your systems vulnerable to:

  • Data breaches exposing customer payment information
  • Ransomware attacks that can shut down operations
  • Financial theft directly from your accounts
  • Legal liability for negligence

Benefits of Compliance

Maintaining clean vulnerability scans provides:

  • Peace of mind knowing your systems are secure
  • Customer trust in your payment security
  • Lower insurance premiums for cyber liability
  • Competitive advantage over less secure competitors
  • Smoother operations with updated, stable systems

Step-by-Step Guide

What You Need to Get Started

1. Your most recent PCI scan report (PDF or online version)
2. Administrative access to your systems
3. Contact information for your software vendors
4. 2-4 hours of dedicated time
5. Backup systems before making changes

Step 1: Review Your Scan Results

Open your scan report and look for the “Failed” or “Vulnerabilities Found” section. Create a simple spreadsheet with:

  • CVE number
  • CVSS score
  • Affected system/software
  • Description of the issue

Step 2: Prioritize by Severity

Sort your vulnerabilities by CVSS score, addressing them in this order:
1. Critical (9.0-10)
2. High (7.0-8.9)
3. Medium (4.0-6.9)
4. Low (below 4.0 – for best practices)

Step 3: Research Each CVE

For each vulnerability:
1. Search “[CVE number] fix” in Google
2. Visit the software vendor’s security page
3. Check if a patch is available
4. Read any special instructions

Step 4: Plan Your Fixes

Before making changes:

  • Schedule maintenance windows to minimize disruption
  • Notify stakeholders about potential downtime
  • Prepare rollback plans in case issues arise
  • Document current configurations for reference

Step 5: Apply Patches and Updates

For each vulnerable system:
1. Back up the system first
2. Download the appropriate patch
3. Test in a non-production environment if possible
4. Apply the update during your maintenance window
5. Verify the system still functions correctly
6. Document what was changed and when

Step 6: Handle Special Cases

Some vulnerabilities might require:

  • Software upgrades (not just patches)
  • Configuration changes to disable vulnerable features
  • Compensating controls if patches aren’t available
  • System replacement for end-of-life software

Step 7: Rescan and Verify

After fixing vulnerabilities:
1. Wait 24-48 hours for changes to take effect
2. Request a rescan from your ASV
3. Review new results for remaining issues
4. Repeat the process if necessary

Timeline Expectations

  • Initial scan review: 1-2 hours
  • Research and planning: 2-4 hours
  • Applying fixes: 1-8 hours (depending on complexity)
  • Rescan and verification: 24-72 hours
  • Total timeline: 1-2 weeks for most businesses

Common Questions Beginners Have

“Can I just ignore low-scoring CVEs?”

While PCI compliance only requires fixing vulnerabilities scored 4.0 and above, addressing all CVEs is best practice. Low-scoring vulnerabilities can still be exploited and may become more severe over time.

“What if my software vendor hasn’t released a patch?”

Document the situation and implement compensating controls like:

  • Firewall rules to limit access
  • Additional monitoring for suspicious activity
  • Disabling unnecessary features
  • Planning for software replacement

“How do I know if a CVE is a false positive?”

False positives occur when:

  • The vulnerable feature is disabled
  • The scan misidentifies your software version
  • Your configuration prevents exploitation

Work with your ASV to dispute false positives with proper documentation.

“Will updating break my systems?”

While possible, it’s rare. Minimize risks by:

  • Reading update notes carefully
  • Testing in non-production first
  • Having backups ready
  • Scheduling updates during low-usage times

Mistakes to Avoid

Common Beginner Errors

1. Ignoring scan results until the last minute
2. Applying patches without backups first
3. Fixing only the highest scores while ignoring patterns
4. Not documenting changes for future reference
5. Using outdated or pirated software that can’t be patched

How to Prevent Them

  • Set calendar reminders for quarterly scans
  • Establish a patching routine (monthly is ideal)
  • Maintain software inventory with version numbers
  • Create standard procedures for updates
  • Budget for software licenses and upgrades

What to Do If You Make Them

Everyone makes mistakes. If you:

  • Broke something while patching: Restore from backup and try again more carefully
  • Missed your scan deadline: Contact your payment processor immediately
  • Can’t fix a vulnerability: Document why and implement compensating controls
  • Feel overwhelmed: Consider hiring professional help

Getting Help

When to DIY vs. Seek Help

Do it yourself when:

  • You have fewer than 10 CVEs to fix
  • Most are simple software updates
  • You have basic IT knowledge
  • You have time to learn

Seek professional help when:

  • You have 20+ vulnerabilities
  • Critical systems are affected
  • You lack technical staff
  • Compliance deadlines are tight

Types of Services Available

1. Managed Security Providers: Full-service vulnerability management
2. IT Consultants: One-time fixing and guidance
3. Patch Management Services: Automated update systems
4. PCI Compliance Specialists: Expert guidance through the process

How to Evaluate Providers

Look for:

  • PCI expertise specifically (not just general IT)
  • References from similar businesses
  • Clear pricing without hidden fees
  • Ongoing support options
  • Education so you understand what they’re doing

Next Steps

What to Do After Reading

1. Run a vulnerability scan if you haven’t recently
2. Create your CVE spreadsheet from the results
3. Start with one high-priority fix to build confidence
4. Set up a regular patching schedule
5. Document your process for next time

Related Topics to Explore

  • Understanding PCI DSS requirements
  • Network segmentation for compliance
  • Security awareness training
  • Incident response planning
  • Choosing the right SAQ type

Resources for Deeper Learning

  • PCI Security Standards Council website
  • Your ASV’s knowledge base
  • Software vendor security bulletins
  • NIST National Vulnerability Database
  • PCICompliance.com learning center

FAQ

Q: How often do new CVEs appear that affect my business?
A: New CVEs are published daily, but only a fraction affect your specific systems. Expect to see 5-20 new relevant CVEs per quarter, depending on your software portfolio.

Q: Can I fix CVEs myself without IT expertise?
A: Yes, many CVEs simply require clicking “update” in your software. However, complex server vulnerabilities may need IT assistance. Start with the simple ones to build confidence.

Q: What’s the deadline for fixing CVEs after a failed scan?
A: PCI requires passing a clean scan within 90 days of your last passing scan. Most payment processors allow 30 days to fix issues and rescan after a failure.

Q: Do I need to fix CVEs on internal systems not facing the internet?
A: If these systems are part of your cardholder data environment (CDE), yes. PCI compliance covers all systems that store, process, or transmit card data, regardless of internet exposure.

Q: What if fixing a CVE requires expensive software upgrades?
A: Document the cost and timeline for upgrades, implement compensating controls in the meantime, and work with your acquirer on a remediation plan. Budget for necessary upgrades to avoid future issues.

Q: How do I know which systems are in scope for PCI scanning?
A: Any system that handles credit card data or can access systems that do is in scope. This includes web servers, payment terminals, computers accessing payment data, and supporting infrastructure like firewalls.

Conclusion

Fixing CVE vulnerabilities doesn’t have to be overwhelming. By breaking the process into manageable steps and addressing issues systematically, you can maintain PCI compliance and protect your business. Remember, each vulnerability you fix makes your business more secure and your customers’ data safer.

Start with your highest-priority vulnerabilities today. Even fixing one critical CVE significantly improves your security posture. With regular attention and the right approach, managing vulnerabilities becomes a routine part of running a secure business.

Ready to simplify your PCI compliance journey? Try our free PCI SAQ Wizard tool at PCICompliance.com to determine which Self-Assessment Questionnaire (SAQ) you need and start building a comprehensive compliance strategy. Our tools and expert guidance have helped thousands of businesses achieve and maintain PCI DSS compliance affordably and efficiently. Don’t let CVEs and compliance requirements slow down your business—let us help you stay secure and compliant with confidence.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP