The Payment Card Industry (PCI) Data Security Standard details security requirements for members, merchants, and service providers that store, process or transmit cardholder data. To demonstrate compliance with the PCI Data Security Standard, merchants and service providers may be required to validate and conduct a network security scan on a regular basis as defined by the PCI Security Standards Council.
Network Security Scans are an indispensable tool to be used in conjunction with a vulnerability management program. Scans help identify vulnerabilities and misconfigurations of websites and IT infrastructure containing externally facing IP addresses. Scan results provide valuable information that supports efficient patch management and other security measures that improve protection against Internet hacking.
The current regulation PCI DSS v3.2 was released in April 2016 and applies to most merchants, banks and service providers on October 31, 2016. Companies compliant with previous PCI DSS v3.1 have an extended deadline and must comply by October 31, 2016.
Network Security Scan requirements apply to all merchants and service providers with external-facing IP addresses that collect, process or transmit payment account information. However, even if an entity does not offer web-based transactions, there are other services that make systems Internet accessible. Basic functions such as email and employee Internet access will result in the Internet-accessibility of a company's network. These seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems and can potentially expose cardholder data if not properly controlled.
All PCI scans must be conducted by an approved scanning vendor, selected from the list of approved vendors. All compliant scanning vendors are required to conduct scans in accordance with a defined set of procedures. These procedures dictate that the normal operation of the customer environment is not to be impacted and that the vendor should never penetrate or alter the customer environment.
Merchants and Service Providers should consult with their acquirer or payment brand directly to understand each brand's validation criteria and reporting requirements.
External auditors are required for annual audits of level 1 merchants and level 1 & 2 service providers. More information can be found at https://www.pcisecuritystandards.org/.
Qualified Security Assessors (QSA) are authorized to perform annual audits for merchants and service providers to document compliance with PCI. Approved Scanning Vendors (ASV) are authorized to perform the quarterly scans to show compliance with the PCI Data Security Standard. Several qualified security assessors incorporate approved scanning vendors into their solution. Qualys is an Approved Scanning Vendor.
Qualys is certified as a PCI Approved Scanning Vendor (ASV) to help merchants and their consultants validate and achieve compliance with the PCI Data Security Standard. Qualys PCI Compliance is an on-demand compliance testing and reporting service. Using the service, merchants can run PCI compliance scans, complete PCI self assessment questionnaires and submit compliance reports directly to acquiring banks. Our on-demand delivery model makes Qualys PCI Compliance available anytime from any browser, without software to install or maintain. Qualys PCI Compliance is available as a free trial.
Read the PCI Compliance Getting Started Guide to learn how to use Qualys PCI Compliance for achieving compliance with the PCI Data Security Standard.
A network security scan must be completed every 90 days by an approved PCI scanning vendor. Qualys is a PCI approved scanning vendor (ASV). To achieve network status compliance using Qualys PCI Compliance, all hosts must be scanned during the best practice scanning period and there can be no PCI vulnerabilities found from the scans during this period. Qualys PCI Compliance defines the best practice scanning period to be 30 days prior to the current day. Using Qualys PCI Compliance, you can scan your network in segments and remediate/re-scan for vulnerabilities on target IPs. Segmented scanning allows you to scan hosts that you have remediated without having to scan your entire network.
All external IP addresses must be scanned for PCI compliance.
The PCI DSS Security Scanning Procedures guide describes in detail the scope of PCI security scanning required for PCI compliance.
In this document, the section called "Scope of PCI Security Scanning" starting on page 1 states the following:
"The PCI requires all Internet-facing IP addresses to be scanned for vulnerabilities. If active IP addresses are found that were not originally provided by the customer, the ASV must consult with the customer to determine if these IP addresses should be in scope. In some instances, companies may have a large number of IP addresses available while only using a small number for card acceptance or processing. In these cases, scan vendors can help merchants and service providers define the appropriate scope of the scan required to comply with the PCI. In general, the following segmentation methods can be used to reduce the scope of the PCI Security Scan.
- Providing physical segmentation between the segment handling cardholder data and other segments
- Employing appropriate logical segmentation where traffic is prohibited between the segment or network handling cardholder data and other networks or segments
Merchants and service providers have the ultimate responsibility for defining the scope of their PCI Security Scan, though they may seek expertise from ASVs for help. If an account data compromise occurs via an IP address or component not included in the scan, the merchant or service provider is responsible."
As per the requirements in the PCI scanning procedure specifications, an IPS must be set to not block a scan. The service provides multiple scanners for external (perimeter) scanning, located at the Security Operations Center (SOC) that is hosting Qualys PCI Compliance. The scanner IP addresses are 22.214.171.124/20 (126.96.36.199-188.8.131.52). Depending on your network, it may be necessary to add the scanner IPs to your list of trusted IPs, so the service can send probes to the IP addresses in your account during scan processing.
The PCI DSS Security Scanning Procedures guide describes in detail the scanning procedures required for PCI compliance.
Your network protection systems should be configured to not interfere with the vulnerability scanning, as described in the document referenced above. In this regard, the section "Scanning Procedures" item 13 states the following:
"Arrangements must be made to configure the intrusion detection system/intrusion prevention system (IDS/IPS) to accept the originating IP address of the ASV. If this is not possible, the scan should be originated in a location that prevents IDS/IPS interference"
Security scanning procedures are outlined as part of the PCI Data Security Standard. The PCI DSS Document Library includes a framework of specifications, tools, measurements and support resources to help organizations ensure the safe handling of cardholder information at every step.
Firewall configurations do not need to be changed.
All merchants at level 2, 3 and 4 and all service providers at level 3 must complete a PCI self assessment questionnaire (SAQ) on an annual basis. Level 4 merchants should contact their acquiring banks for requirements. Note: In Canada, for Visa, merchants must have their SAQ validated by a PCI qualified security assessor (QSA) prior to submitting the SAQ to acquiring banks.
When your PCI Merchant account is created, you will receive a registration email. In the body of this email you will find the URL to the PCI Merchant application and a secure link to your account credentials. With your login and password, log into the service at the URL provided and you will be directed to your Home page.
At account creation time, you are assigned a username for the PCI Merchant application. You can change your username at any time. To do so, select Account->Users on the left menu. Identify your own user account (it will be in bold) and click Edit. Then select the "Change Username" link. Enter your current login in the field provided and then a new login in the "New Username" field. Note that your username must be unique to the PCI Merchant application, and must include the @ character, such as john@qualys. After saving your new username, log back into the service.
When logging into Qualys PCI Compliance, the username and password entered did not match the information we have stored at our Security Operations Center (SOC). Please check to make sure the information you entered is correct. Note that usernames and passwords are case sensitive so make sure Caps Lock is turned off.
If you do not know your password, the service provides methods for requesting a new password. You can click the "Forgot Password" link on the Login page to have a new password automatically generated. After providing your username, you will receive an email with a link to your new credentials. Alternatively, you can contact another user in your account and request that they reset your password through the PCI Compliance application. To reset another user's password, go to the Users list (Account->Users) and select Edit to edit the account for the user who is requesting a new password. On the Edit User page, select the "Reset Password" link. A new password is automatically generated for the user's account and an email with login instructions is sent to the user.
If you do not know your username, contact another user in your account and request that they look it up for you. To do this, the other user can go to the Users list (Account->Users) and select Edit to edit your account. On the Edit User page, your username is displayed.
If you need additional help, contact Qualys Support.
When logging into Qualys PCI Compliance, the username and password you entered is for a user that belongs to a subscription which is expired. If your subscription has multiple users and you are not the primary contact for the subscription, we recommend that you first consult the primary contact. The primary contact user appears in bold on the Users list (Account->Users). If you would like to activate your subscription, please contact your sales representative or Qualys Support.
At account creation time, Qualys PCI Compliance provides a randomly generated "strong" password for your account. You can change your password at any time. To do so, select Account->Users from the left menu. Identify your own user account (it will be in bold) and click Edit. Then select the "Change Password" link. Enter your current password in the field provided and then a new password in the "New Password" field. Your password must be a minimum of 6 characters and must include a mixture of alpha and numeric characters. After saving your new password, log back into the service.
The PCI self assessment questionnaire is available online through Qualys PCI Compliance's web interface. To start a new questionnaire, select Questionnaires->New Questionnaire from the left menu.
AAll IP addresses in your account may be scanned. To view the IPs in your account, go to Account->IP Assets. You may add IPs up to the limit defined for your account. The maximum number of IPs allowed in your account can be viewed by selecting Account->Settings on the left menu, and then scrolling down to the Subscription Information section.
To purchase additional IP addresses to scan, please contact your sales representative.
This is an simple self service task as Qualys no longer requires IP Removals in PCI to go through support. Users can do it themselves by going to Account > IP Assets and click 'Remove IP'. If you have issues, then contact customer support.
To launch a PCI scan, log into Qualys PCI Compliance and select Network->New Scan from the left menu. (Or click Start a Scan on the Home page.) Next supply a title for the scan in the Title field and select a bandwidth level from the Bandwidth menu. It's recommended that you keep the default bandwidth level of Medium. Identify the IPs you want to scan in the Target IPs section. The All IPs option is selected by default, meaning that all IPs in your account will be scanned. You may choose the Select IPs option to scan a limited number of IPs. After specifying your scan target, click "OK" to start the scan.
Optionally, you can schedule the scan to start at a later time. To do so, select the Schedule for Later option and then specify the start date (month, day and year) and start time (hours and minutes). Also select your local time zone. You may enter any date/time within the next 90 days.
Underlying scan settings have been optimized to test compliance with the PCI Data Security Standard. There is one user-configurable scan performance setting — Bandwidth Level — which affects overall scan performance. Several bandwidth levels are provided, and each level represents multiple settings. It's recommended that you keep the default bandwidth level Medium to get started. You can select another level when you launch or schedule a scan. See the online help for descriptions of the various bandwidth levels and their settings.
The Scans page lists all running and completed scans. To see this page, select Network->Scan Results from the left menu. From this list, you can search and view scan tasks, view detected vulnerabilities that must be fixed to achieve PCI compliance, and download the scan results. In the Scan Results report, the Detailed Results section shows all vulnerabilities detected by the service (not limited to vulnerabilities that must be fixed to achieve PCI compliance).
The service provides two PCI network reports — PCI Executive Report and PCI Technical Report. The PCI reports provide similar information suitable for different workflows. The PCI Executive Report is used to submit to the acquiring bank to document PCI compliance. This report provides summary level information only. The PCI Technical Report is used to identify vulnerabilities and prioritize remediation. For this reason, the PCI Technical Report includes technical details to assist with remediation. To create the PCI network reports, select Network->Compliance Status from the left menu and then click "Generate".
Qualys PCI Compliance produces reports that include an overall PCI compliance status of Passed or Failed as documented in the Qualys PCI Pass/Fail Status Criteria. An overall PCI compliance status of Passed indicates that all hosts in the report passed the PCI compliance standards set by the PCI Council. A host compliance status is provided for each host. A PCI compliance status of Passed for a single host/IP indicates that no vulnerabilities or potential vulnerabilities, as defined by the PCI DSS compliance standards set by the PCI Council, were detected on the host. The criteria for PCI Pass/Fail compliance status implemented by the Qualys PCI solutions is calculated based on criteria listed below.
You can view the current PCI compliance status for your network and its hosts on the Compliance Status page by selecting Network->Compliance Status. The Compliance Status chart at the top of the page displays the current compliance status of your entire network, including all hosts. The Host Status list at the bottom of the page displays the current compliance status for hosts in your account.
You can view a list of detected vulnerabilities and potential vulnerabilities by selecting Network->Vulnerabilities on the left menu. All detected vulnerabilities are listed, including vulnerabilities that must be fixed to pass PCI compliance as well as vulnerabilities that we recommend that you fix. For each vulnerability you can view detailed information for remediation so that you can quickly fix and eliminate the vulnerability.
After remediation, run another PCI scan and check your overall compliance status. Repeat these steps until the overall PCI compliance status is "Compliant".
You can check your overall compliance status on the Compliance Status page by selecting Network->Compliance Status. If your overall PCI compliance status is "Compliant", then you are ready to generate, save and submit network reports. To do so, click the "Generate" icon and provide report information to be submitted to your acquiring banks. Then click the "Generate" button to generate PCI network reports. Review the reports and click "Save & Submit" to save the reports in your account and submit the PCI Executive Report electronically to banks in your account.
For other banks without electronic submission enabled, you need to download and print the PCI Executive Report and then send it manually via mail. Saved network reports appear on the Submitted Reports list in your account.
The PCI Executive Report is appropriate for submission to your acquiring banks. To meet PCI compliance, the PCI Executive Report must indicate an overall PCI compliance status of Passed. This status is reported only when the required vulnerabilities are fixed and validated by a PCI scan.
Banks are able to sign up to use Qualys PCI Compliance, enabling them to view submitted PCI compliance documents and track PCI compliance status for their merchants through Qualys PCI Compliance's web interface.
If your acquiring bank is signed up with Qualys PCI Compliance and it is defined for your account, then you can submit questionnaires and scan reports directly to the bank.
To see a list of participating banks, select Account->Settings from the left menu and then scroll down to the Bank Information section. Click Edit and look at the banks listed in the Bank Name menu. These are participating banks.
If your bank is not a participating bank, then it will not appear in the Bank Name menu. Scroll down to the Other Banks section at the bottom of the page and enter the bank name in the field provided. If you don't have a participating bank, then no bank has direct access to your submitted documents through Qualys PCI Compliance's web interface. You must download submitted documents in PDF format and send them to your acquiring bank using a method outside of the application.
Yes. Qualys PCI Compliance provides links to fixes or workarounds from the PCI Technical Report and from the current vulnerabilities list to help network administrators remedy vulnerabilities. Our Security Engineers have validated all solutions in our vulnerability lab to ensure they function as specified.
Please contact Customer Support for assistance with understanding a vulnerability. To do this, simply log into Qualys PCI Compliance, and select Contact Support from the left menu. On the page provided you may send an email to Customer Support with your questions.
In order to be compliant with the PCI requirements, all vulnerabilities and potential vulnerabilities, as defined by the PCI DSS compliance standards set by the PCI Council, must be remediated. If you have a Failing Report due to an acceptable risk, then you can submit your report to your acquirer and request a temporary exception from them, until the issue can be fully remediated, as is required per the PCI Standards for all failing vulnerabilities.
It's possible after fixing all PCI vulnerabilities and potential vulnerabilities that you have an issue that doesn't seem to apply to the host. In this circumstance, you may request an exception that will be considered by us as a false positive.
Before making this request, complete all remediation steps to fix vulnerabilities by following these guidelines:
If you followed the guidelines above and believe that Qualys PCI Compliance has identified a false positive in your scan, then use the steps below to submit a false positive request to Technical Support.
An email is sent to Technical Support for review. A Technical Support representative will work with you to determine if the identified issue is a false positive and will send an email response confirming the decision.
More information about PCI can be found at the following sites:
Customers can contact customer support at any time. Simply log into Qualys PCI Compliance, and select Contact Support. On the page provided you may submit an email directly to your PCI Compliance Service provider.