Qualys: On Deman Security

QualysGuard PCI FAQs

About the PCI DSS

Getting Certified with the PCI Compliance Service

About the PCI Compliance Service

About the PCI DSS

What is PCI?

The Payment Card Industry (PCI) Data Security Standard details security requirements for members, merchants, and service providers that store, process or transmit cardholder data. To demonstrate compliance with the PCI Data Security Standard, merchants and service providers may be required to validate and conduct a network security scan on a regular basis as defined by the PCI Security Standards Council.

Network Security Scans are an indispensable tool to be used in conjunction with a vulnerability management program. Scans help identify vulnerabilities and misconfigurations of web sites and IT infrastructures containing externally facing IP addresses.

Scan results provide valuable information that supports efficient patch management and other security measures that improve protection against Internet hacking.

Back to top

Who has to comply?

Network Security Scans apply to all merchants and service providers with external-facing IP addresses that collect, process or transmit payment account information. However, even if an entity does not offer web-based transactions, there are other services that make systems Internet accessible. Basic functions such as email and employee Internet access will result in the Internet-accessibility of a company's network. These seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems and can potentially expose cardholder data if not properly controlled.

Back to top

What is an Approved Scanning Vendor?

All PCI scans must be conducted by a third party compliant network security scanning vendor, selected from the list of approved vendors at https://www.pcisecuritystandards.org/. All compliant scanning vendors are required to conduct scans in accordance with a defined set of procedures. These procedures dictate that the normal operation of the customer environment is not to be impacted and that the vendor should never penetrate or alter the customer environment.

Back to top

What are the certification levels and what do they mean?

Information about merchant levels and service provider levels can be found at https://www.pcisecuritystandards.org/.

Back to top

Who needs to get external auditors for certification?

External auditors are required for annual audits of level 1 merchants and level 1 & 2 service providers. More information can be found at https://www.pcisecuritystandards.org/.

Back to top

What is the difference between a Qualified Security Assessor and an Approved Scanning Vendor?

Qualified Security Assessors (QSA) are authorized to perform annual audits for merchants and service providers to document compliance with PCI. Approved Scanning Vendors (ASV) are authorized to perform the quarterly scans to show compliance with the PCI Data Security Standard. Several qualified security assessors incorporate approved scanning vendors into their solution.

Back to top

Getting Certified with the PCI Compliance Service

How does the PCI Compliance Service help me to get certified?

Our company is certified as a PCI Approved Scanning Vendor (ASV) to help merchants and their consultants validate and achieve compliance with the PCI Data Security Standard. The PCI Compliance Service is an on demand compliance testing and reporting service. Using the service, merchants can run PCI compliance scans, complete PCI self assessment questionnaires and submit compliance reports directly to acquiring banks. Our on demand delivery model makes the PCI Compliance Service available anytime from any browser, without software to install or maintain.

Back to top

What is the process to use the PCI Compliance Service for certification?

Read "Getting Started with the PCI Compliance Service" to learn how to use the PCI Compliance Service for achieving compliance with the PCI Data Security Standard. The getting started guide is available for download from http://www.qualys.com/products/qg_suite/pci/.

Back to top

How often do I need to scan?

A network security scan must be completed every 90 days by an approved PCI scanning vendor. Our company is a PCI approved scanning vendor (ASV). To achieve network status compliance using our PCI Compliance Service, all hosts must be scanned during the best practice scanning period and there can be no PCI vulnerabilities found from the scans during this period. The PCI Compliance Service defines the best practice scanning period to be 30 days prior to the current day. Using the Compliance Service, you can scan your network in segments and remediate/re-scan for vulnerabilities on target IPs. Segmented scanning allows you to scan hosts that you have remediated without having to scan your entire network.

Back to top

What IP addresses do I scan?

All external IP addresses must be scanned for PCI compliance.

The document PCI DSS Security Scanning Procedures describes in detail the scope of PCI security scanning required for PCI compliance. The latest version of this document can be found at the PCI Security Standards Council's web site: https://www.pcisecuritystandards.org/pdfs/pci_scanning_procedures_v1-1.pdf

In this document, the section called "Scope of PCI Security Scanning" starting on page 1 states the following:

"The PCI requires all Internet-facing IP addresses to be scanned for vulnerabilities. If active IP addresses are found that were not originally provided by the customer, the ASV must consult with the customer to determine if these IP addresses should be in scope. In some instances, companies may have a large number of IP addresses available while only using a small number for card acceptance or processing. In these cases, scan vendors can help merchants and service providers define the appropriate scope of the scan required to comply with the PCI. In general, the following segmentation methods can be used to reduce the scope of the PCI Security Scan.

Merchants and service providers have the ultimate responsibility for defining the scope of their PCI Security Scan, though they may seek expertise from ASVs for help. If an account data compromise occurs via an IP address or component not included in the scan, the merchant or service provider is responsible."

Back to top

How do I configure my IPS to allow the PCI scans?

As per the requirements in the PCI scanning procedure specifications, an IPS must be set to not block a scan. The service provides multiple scanners for external (perimeter) scanning, located at the Security Operations Center (SOC) that is hosting the PCI Compliance Service. The scanner IP addresses are 62.26.76.0/24 (62.26.76.1-62.26.76.254), 62.210.136.128/25 (62.210.136.129-62.210.136.254), 64.39.96.0/20 (64.39.96.1-64.39.111.254), and 167.216.252.0/26 (167.216.252.1-167.216.252.62). Depending on your network, it may be necessary to add the scanner IPs to your list of trusted IPs, so the service can send probes to the IP addresses in your account during scan processing.

The document PCI DSS Security Scanning Procedures describes in detail the scanning procedures required for PCI compliance. The latest version of this document can be found at the PCI Security Standards Council's web site: https://www.pcisecuritystandards.org/pdfs/pci_scanning_procedures_v1-1.pdf

Your network protection systems should be configured to not interfere with the vulnerability scanning, as described in the document referenced above. In this regard, the section "Scanning Procedures" item 13 states the following:

"Arrangements must be made to configure the intrusion detection system/intrusion prevention system (IDS/IPS) to accept the originating IP address of the ASV. If this is not possible, the scan should be originated in a location that prevents IDS/IPS interference"

Security scanning procedures are outlined as part of the PCI Data Security Standard. Supporting documents published by the PCI Security Standards Council can be found at: https://www.pcisecuritystandards.org/tech/supporting_documents.htm

Back to top

What about my Firewalls?

Firewall configurations do not need to be changed.

Back to top

Who needs to complete the self assessment questionnaire?

All merchants at level 2, 3 and 4 and all service providers at level 3 must complete a PCI self assessment questionnaire (SAQ) on an annual basis. Level 4 merchants should contact their acquiring banks for requirements. Note: In Canada, for Visa, merchants must have their SAQ validated by a PCI qualified security assessor (QSA) prior to submitting the SAQ to acquiring banks.

Back to top

About the PCI Compliance Service

How do I log into the PCI Compliance Service?

When your PCI Merchant account is created, you will receive a registration email. In the body of this email you will find the URL to the PCI Merchant application and a secure link to your account credentials. With your login and password, log into the service at the URL provided and you will be directed to your Home page.

Back to top

How do I change my user login?

At account creation time, you are assigned a user login for the PCI Merchant application. You can change your user login at any time. To do so, select Account->Users on the left menu. Identify your own user account (it will be in bold) and click Edit. Then select the "Change User Login" link. Enter your current login in the field provided and then a new login in the "New User Login" field. Note that your user login must be unique to the PCI Merchant application, and must include the @ character, such as john@qualys. After saving your new user login, log back into the service.

Back to top

Why do I get an "Invalid credentials" error?

When logging into the PCI Compliance Service, the user login and password entered did not match the information we have stored at our Security Operations Center (SOC). Please check to make sure the information you entered is correct. Note that user logins and passwords are case sensitive so make sure Caps Lock is turned off.

If you do not know your password, the service provides methods for requesting a new password. You can click the "Forgot Password" link on the Login page to have a new password automatically generated. After providing your user login, you will receive an email with a link to your new credentials. Alternatively, you can contact another user in your account and request that they reset your password through the PCI Compliance application. To reset another user's password, go to the Users list (Account->Users) and select Edit to edit the account for the user who is requesting a new password. On the Edit User page, select the "Reset Password" link. A new password is automatically generated for the user's account and an email with login instructions is sent to the user.

If you do not know your user login, contact another user in your account and request that they look it up for you. To do this, the other user can go to the Users list (Account->Users) and select Edit to edit your account. On the Edit User page, your username is displayed.

If you need additional help, email Customer Support at support@qualys.com.

Back to top

Why do I get an error stating "The subscription to which this user belongs is expired"?

When logging into the PCI Compliance Service, the user login and password you entered is for a user that belongs to a subscription which is expired. If your subscription has multiple users and you are not the primary contact for the subscription, we recommend that you first consult the primary contact. The primary contact user appears in bold on the Users list (Account->Users). If you would like to activate your subscription, please contact your sales representative or Customer Support. You can email Customer Support at support@qualys.com.

Back to top

How do I reset my password?

At account creation time, the PCI Compliance Service provides a randomly generated "strong" password for your account. You can change your password at any time. To do so, select Account->Users from the left menu. Identify your own user account (it will be in bold) and click Edit. Then select the "Change Password" link. Enter your current password in the field provided and then a new password in the "New Password" field. Your password must be a minimum of 6 characters and must include a mixture of alpha and numeric characters. After saving your new password, log back into the service.

Back to top

How do I start a questionnaire?

The PCI self assessment questionnaire is available online through the PCI Compliance Service's web application. To start a new questionnaire, select Questionnaires->New Questionnaire from the left menu. You must answer all questions in the questionnaire in order to submit it to your acquiring bank.

Back to top

How many IP addresses can I scan with my account?

All IP addresses in your account may be scanned. To view the IPs in your account, go to Account->IP Assets. You may add IPs up to the limit defined for your account. The maximum number of IPs allowed in your account can be viewed by selecting Account->Settings on the left menu, and then scrolling down to the Subscription Information section.

Back to top

How do I purchase additional IP addresses to scan?

To purchase additional IP addresses to scan, please contact your sales representative.

Back to top

How do I remove IP addresses from my account?

Contact Customer Support to remove IP addresses from your account. To do this, simply log into the PCI Compliance Service, and select Contact Support from the left menu. On the page provided you may send an email request to Customer Support.

Back to top

How do I launch a PCI scan?

To launch a PCI scan, log into the PCI Compliance Service and select Network->New Scan from the left menu. (Or click Start a Scan on the Home page.) Next supply a title for the scan in the Title field and select a bandwidth level from the Bandwidth menu. It's recommended that you keep the default bandwidth level of Medium. Identify the IPs you want to scan in the Target IPs section. The All IPs option is selected by default, meaning that all IPs in your account will be scanned. You may choose the Select IPs option to scan a limited number of IPs. After specifying your scan target, click "OK" to start the scan.

Optionally, you can schedule the scan to start at a later time. To do so, select the Schedule for Later option and then specify the start date (month, day and year) and start time (hours and minutes). Also select your local time zone. You may enter any date/time within the next 90 days.

Back to top

Can I modify any of the scan settings?

Underlying scan settings have been optimized to test compliance with the PCI Data Security Standard. There is one user-configurable scan performance setting — Bandwidth Level — which affects overall scan performance. Several bandwidth levels are provided, and each level represents multiple settings. It's recommended that you keep the default bandwidth level Medium to get started. You can select another level when you launch or schedule a scan. See the online help for descriptions of the various bandwidth levels and their settings.

Back to top

How do I view scan results?

The Scans page lists all running and completed scans. To see this page, select
Network->Scan Results from the left menu. From this list, you can search and view scan tasks, view detected vulnerabilities that must be fixed to achieve PCI compliance, and download the scan results. In the Scan Results report, the Detailed Results section shows all vulnerabilities detected by the service (not limited to vulnerabilities that must be fixed to achieve PCI compliance).

Back to top

What PCI network reports are provided?

The service provides two PCI network reports — PCI Executive Report and PCI Technical Report. The PCI reports provide similar information suitable for different workflows. The PCI Executive Report is used to submit to the acquiring bank to document PCI compliance. This report provides summary level information only. The PCI Technical Report is used to identify vulnerabilities and prioritize remediation. For this reason, the PCI Technical Report includes technical details to assist with remediation. To create the PCI network reports, select Network->Compliance Status from the left menu and then click "Generate".

Back to top

What criteria causes a Passed or Failed compliance status in my PCI reports?

The PCI Compliance Service produces reports that include an overall PCI compliance status of Passed or Failed. An overall PCI compliance status of Passed indicates that all hosts in the report passed the PCI DSS compliance standards set by the PCI Council. A host compliance status is provided for each host. A PCI compliance status of Passed for a single host/IP indicates that no vulnerabilities or potential vulnerabilities, as defined by the PCI DSS compliance standards set by the PCI Council, were detected on the host. The criteria used to calculate a passed or failed compliance status can be found at http://www.qualys.com/products/pci/qgpci/pass_fail_criteria/

Back to top

Where can I view my overall PCI compliance status?

You can view the current PCI compliance status for your network and its hosts on the Compliance Status page by selecting Network->Compliance Status. The Compliance Status chart at the top of the page displays the current compliance status of your entire network, including all hosts. The Host Status list at the bottom of the page displays the current compliance status for hosts in your account.

Back to top

What if I fail the PCI Compliance Service's validation?

You can view a list of detected vulnerabilities and potential vulnerabilities by selecting Network->Vulnerabilities on the left menu. All detected vulnerabilities are listed, including vulnerabilities that must be fixed to pass PCI compliance as well as vulnerabilities that we recommend that you fix. For each vulnerability you can view detailed information for remediation so that you can quickly fix and eliminate the vulnerability.

After remediation, run another PCI scan and check your overall compliance status. Repeat these steps until the overall PCI compliance status is "Compliant".

Back to top

What do I do if I pass the PCI Compliance Service's validation?

You can check your overall compliance status on the Compliance Status page by selecting Network->Compliance Status. If your overall PCI compliance status is "Compliant", then you are ready to generate, save and submit network reports. To do so, click the "Generate" icon and provide report information to be submitted to your acquiring banks. Then click the "Generate" button to generate PCI network reports. Review the reports and click "Save & Submit" to save the reports in your account and submit the PCI Executive Report electronically to banks in your account.

For other banks without electronic submission enabled, you need to download and print the PCI Executive Report and then send it manually via mail. Saved network reports appear on the Submitted Reports list in your account.

Back to top

What report do I send to my acquiring banks?

The PCI Executive Report is appropriate for submission to your acquiring banks. To meet PCI compliance, the PCI Executive Report must indicate an overall PCI compliance status of Passed. This status is reported only when the required vulnerabilities are fixed and validated by a PCI scan.

Back to top

Can I submit reports directly to my acquiring banks?

Banks are able to sign up to use the PCI Compliance Service, enabling them to view submitted PCI compliance documents and track PCI compliance status for their merchants through the PCI Compliance Service's web application.

If your acquiring bank is signed up with the PCI Compliance Service and it is defined for your account, then you can submit questionnaires and scan reports directly to the bank.

To see a list of participating banks, select Account->Settings from the left menu and then scroll down to the Bank Information section. Click Edit and look at the banks listed in the Bank Name menu. These are participating banks.

If your bank is not a participating bank, then it will not appear in the Bank Name menu. Scroll down to the Other Banks section at the bottom of the page and enter the bank name in the field provided. If you don't have a participating bank, then no bank has direct access to your submitted documents through the PCI Compliance Service's web application. You must download submitted documents in PDF format and send them to your acquiring bank using a method outside of the application.

Back to top

Does the PCI Compliance Service provide assistance with remediation?

Yes. The PCI Compliance Service provides links to fixes or workarounds from the PCI Technical Report and from the current vulnerabilities list to help network administrators remedy vulnerabilities. Our Security Engineers have validated all solutions in our vulnerability lab to ensure they function as specified.

Back to top

How can I get assistance understanding a vulnerability?

Please contact Customer Support for assistance with understanding a vulnerability. To do this, simply log into the PCI Compliance Service, and select Contact Support from the left menu. On the page provided you may send an email to Customer Support with your questions.

Back to top

What if my business has a vulnerability that it deems as an acceptable risk?

In order to be compliant with the PCI requirements, all vulnerabilities and potential vulnerabilities, as defined by the PCI DSS compliance standards set by the PCI Council, must be remediated.

Back to top

What do I do if I think I have a false positive?

It's possible after fixing all PCI vulnerabilities and potential vulnerabilities that you have an issue that doesn't seem to apply to the host. In this circumstance, you may request an exception that will be considered by us as a false positive.

Before making this request, complete all remediation steps to fix vulnerabilities by following these guidelines:

If you followed the guidelines above and believe that the PCI Compliance Service has identified a false positive in your scan, then use the steps below to submit a false positive request to Technical Support.

  1. Select Network->Vulnerabilities from the left menu. The Current Vulnerabilities list displays all current vulnerabilities that were detected on hosts from the most recent scans. You can use the search options in the Vulnerability Report Settings section to search for vulnerabilities.
  2. Select the check box to the left of each vulnerability you want to include in your request and click the Review False Positives button. Note it's not possible to select a check box for a vulnerability that is not required to fix to pass PCI compliance.
  3. On the Request False Positives page, provide a detailed explanation for each selected vulnerability as to why you believe it is a false positive. Your explanation should include steps taken to validate that it is a false positive. You have the option to enter one reason for multiple false positives. To do this, select the check box "Use same comment for all the following requests".
  4. Click the Submit False Positive Request button. Note that an error will occur if you select a vulnerability without providing an explanation.

An email is sent to Technical Support for review. A Technical Support representative will work with you to determine if the identified issue is a false positive and will send an email response confirming the decision.

Back to top

Where do I find out more information about PCI?

More information about PCI can be found at the following sites:

https://www.pcisecuritystandards.org/

https://sdp.mastercardintl.com/

http://www.mastercardsecurity.com

http://www.visa.com/cisp

http://www209.americanexpress.com

http://www.jcb-global.com/english/pci/index.html

http://www.discovernetwork.com/disc

You can also link to PCI compliance program sites directly from the PCI Compliance Service. Select Resources from the left menu and then select the site you want to link to.

Back to top

How do I contact support?

Customers can contact customer support at any time. Simply log into the PCI Compliance Service, and select Contact Support from the left menu. On the page provided you may submit an email directly to your PCI Compliance Service provider.

Back to top