Welcome to QualysGuard Express Lite. In this video we'll focus on the topic of external scanning for PCI compliance. If you have host devices that require PCI compliance - they store, process, or transfer credit card data - the QualysGuard Express Lite PCI Compliance application will help you achieve your quarterly scan requirement in just a few steps.
In this video we'll show you how to:
To begin scanning for PCI compliance, simply login to QualysGuard Express Lite and click on the PCI icon, active the PCI service, and launch the PCI application. After accepting the service user agreement, you'll be ready to begin. Before you can launch a PCI scan you'll need to add IP addresses to your account. To add host IP addresses to your PCI account, simply expand the Account section and click on IP Assets. Here the Walk Me Through Wizard will provide step-by-step instructions for adding hosts and domains to your account. Once you have successfully add host devices to your PCI account, you'll be ready to launch a PCI compliance scan.
To launch a PCI compliance scan expand the Network section and click the New Scan option. Give your scan a meaningful title. For an optimal combination of performance, bandwidth usage, and processing speed, Qualys recommends a bandwidth setting of Medium. Qualys always ensures your PCI scans will have a minimal impact on your target hosts and networks. You can click the Info link for more about bandwidth and your available options. Next, select the IP addresses you wish to target in your scan. You can select all IP addresses in your account or select specific IP addresses in your account list. You can launch the scan now or schedule the scan to run at a later time. To invoke the options that you've selected, click OK. If you choose to launch your scan now, the PCI application will present you with two navigation options. I'm going to select the option to view my scan results while I am waiting for my scan to finish. Notice here in the scan results section that my scan is still running.
Once your scan is finished, you can view the vulnerabilities discovered by click on the vulnerabilities icon. You can further filter this list by choosing to display only the vulnerabilities that result in a PCI failed status. The PCI Data Security standard requires all merchants and service providers to fix or remediate all confirm and potential vulnerabilities marked with the fail status. If you click any of the vulnerabilities in this list, you will get a detailed vulnerability report that will allow you to view the solution for fixing this particular vulnerability. If a failed vulnerability in this list proves to be a false-positive, you can place check next to the suspect vulnerability and click the Review False Positive button to have this vulnerability reviewed by a Qualys support specialist.
Once you have fixed all vulnerabilities required to pass PCI compliance and any false-positive requests have been properly addressed, you will then be ready to generate PCI compliance reports. To do this, simply expand the Compliance section and click on Compliance Status. Here you will see a summary of your PCI compliance status and a button to generate your PCI compliance reports. Click on the Generate button to launch the report generation wizard which will guide you through the report generation process.
You will find all your generated reports along with their prospective report status here in the Submitted Reports section. Because Qualys is an approved scanning vendor, you can send your reports to Qualys for attestation using the Request Review link. Once Qualys has approved and attested your PCI compliance reports you can then use the Submit link to send them online to your acquiring banks.
Thank you for viewing this QualysGuard Express Lite video on PCI external scanning.