Requirement 6.2 : Assign risk ranking to vulnerabilities (Internal scanning)
Reading this blog: https://community.qualys.com/blogs/qualys-tech/2010/10/28/pci-dss-20-published a merchant is to "come up with a risk ranking" based on Inductry Best Practice - e.g. CVSS. Also "At minimum there should be process in place to make critical high risk vulnerabilities as "HIGH"."
All CVSS scores (Base, Temporal & Environmental) are defined as value between 0 and 10.
Is there a clear definition of 'High' score for CVSS? I heard an opinion that CVSS 4.0 is the division line for 'High' risk, but who has defined it, and why not 3.0 or 6.0? Or was it used just for example? Or it is up to merchant to define as well? Has anyone come across a widely accepted by Industry definition of 'High' risk for CVSS score?