Which one should I be using for PCI? I'm a little confused on the meaning of both since they seem to have different scores when I look at a report.
You should use the CVSS Base Score for PCI.
The Base score is one that does not change and it is the CVSS score you should use for PCI compliance.
The Temporal score is one that can change over time. The reason for this is the threat can change as time passes. An example might be the existance of exploit code might increase the temporal score. Three things that might change the temporal score:
2. How easily is the vulnerability remediated (Remediation Level)
3. Report Confidence - Is the vulnerability unconfirmed, uncorroborated, or confirmed?
If you are using the QualysGuard PCI, simply look for the vulnerabilities with the "FAIL" flag (on the Vulnerabilities screen) next to them in the title. Those are the ones that need remediated for PCI compliance. You can even sort by that flag in the tool to just see the vulnerabilities that are failing.
Further, a great resource for more information can be located here: http://www.first.org/cvss/cvss-guide.html#i2.1
Thank you, sir. You've been very helpful.
Retrieving data ...