I ran a PCI Compliance Scan on a site and it came up with 25 Level 1 and 2 Level 2’s. I know enough about PCI that Level 1 and Level 2 will allow you to pass the test, but I wanted to knock these down a bit.
Is this task a reasonable request of my server admin?
The reason I ask is because when I started to ask them to help with knocking these down I got this response:
Level 1 issues are not vulnerabilities at all, they are informational in nature and tell you things like the day your SSL expires or the fact that the server listens for email connections, they are not something that can be resolved.
I have hired people in the past to make sites for me completely clean of warnings, comments, everything so the site would pass and be completely compliant so I just cannot seem to wrap my head around that answer above.
Am I off base in that thinking?
Any help or advice on this would be much appreciated.