How-to

Manage Internal Vulnerability Scans for PCI DSS

Qualys Vulnerability Management (VM) is the vulnerability scanner used to map and scan systems and devices that are in-scope for the PCI-DSS internal vulnerability scan and map requirement. Items in-scope include any system or device which processes, stores, transmits, or has the ability to impact the security of cardholder data.

This document provides responsibilities and instructions on how Qualys VM scanning, mapping and ticket remediation tracking is used at the University of Minnesota by units for PCI-DSS internal vulnerability scans and maps. Units manage the internal vulnerability scans for PCI DSS for their area.

Understand Your Responsibilities

  • Follow the naming convention for Asset Groups (see Naming Conventions section).
  • Create and maintain the list of IP addresses of of systems and devices that are in-scope and on the University network in your PCI.COLLEGE.DEPT-Devices asset group.  Include servers, workstations, terminals, printers, network infrastructure, and other devices.
  • Discovery map your PCI subnet ranges (COLLEGE.DEPT.PCI-hostips asset group) at least monthly. Recommend scheduling daily or weekly maps.
    • Review the Map reports for unknown devices.
    • Remove the unknown devices from the network or verify that they are in your PCI-devices Asset Group.
  • Scan all IP addresses in the PCI.COLLEGE.DEPT-Devices asset group at least monthly.  Recommend scheduling weekly scans when the devices are expected to be on-line using the PCI-hostips Asset Group.
    • Review the scan results and mitigate the vulnerabilites detected.
    • Schedule a follow up scan for IP addresses that were not alive during the scan for when these devices are on-line. See the Appendix of the scan results report.
  • Remediate vulnerabilities dectected. Mitigation could include applying a patch, changing the configuration, applying compensating controls, or documenting as a false positive
      • Fix and mitigate the high severity vulnerabilities flagged as PCI Severity HIGH within 30 days.
      • Fix and mitigate the other vulnerabilities on the report.
      • Run another vulnerability scan to verify that the vulnerabilities are mitigated.
  • Document mitigation plans, compensating controls, and false positives in the Qualys Ticket Remediation. Complete within 30 days of detection for vulnerabilties flagged as PCI Severity HIGH.
    • Send documentation to support a false positive request to University Information Security at abuse@umn.edu with subject PCI Internal Scan False Positive Request.  Include the Qualys Ticket Remediation # and the IP address of the host.  University Information Security group will review your request and respond.
  • Update your remediation plan/ mitigation strategy at least monthly for the open tickets created vulnerabilities.  Use the Qualys Ticket Remediation to document proposed or approved remediation steps.
  • Run reports at least monthly.
    • Use the Report Template: PCI FAIL+Confirmed 4-5 Technical Report- Select Asset Group or IP to verify that all high severity and PCI Severity HIGH vulnerabilities have been mitigated or resolved.
    • Use the Report Template: PCI Scan Report for Internal Scan-Select Host for documenting the completion of the internal vulnerabilty scan. See the section For the Monthly or Quarterly Report.
  • Submit a quarterly report to the Controller's Office to document your compliance with the internal vulnerability scan requirement in PCI DSS.
    • Send report to pmtcard@umn.edu
    • For vulnerabilities flagged as PCI Severity HIGH that will not be resolved in 12 weeks from first detected, contact Corey Graves (pmtcard@umn.edu) to document reasons and a timeline for resolution.

Prepare the Monthly or Quarterly Report

  • Compare the lists of IP addresses scanned for the current quarter to your unit’s inventory list of systems and devices that are in-scope. Use Asset Search on PCI.COLLEGE.DEPT-Devices asset group- lists IP addresses that responded to ICMP ping.
    • Add new IP addresses to your PCI.COLLEGE.DEPT-Devices asset group and schedule a scan.
    • Remove IP addresses for systems that retired or decommissioned.
  • Verify that the Reporting Asset Group PCI.COLLEGE.DEPT-Devices asset group has an entry (IP address) for each device that is in-scope.
  • Verify that all IP addresses in PCI.COLLEGE.DEPT-Devices asset group have a scan for the current month or quarter.  Modify the Asset Search to identify IP addresses not scanned within the last 30 or 90 days for PCI.COLLEGE.DEPT-Devices asset group. Review the last scan date column.
    • Remove IP addresses for systems that no longer meet the criteria for Critical Systems asset group or are retired or decommissioned.
    • For others, schedule a vulnerability scan.
  • Verify that all PCI Severity HIGH vulnerabilities have been mitigated or documention is current in the Qualys Ticket Remediation.  Run report using the Report Template: PCI FAIL+Confirmed 4-5 Technical Report- Select Asset Group or IP.
  • Run and save a copy (outside of Qualys Portal) of the report using the Report Template: PCI Scan Report for Internal Scan-Select Host with PCI.COLLEGE.DEPT-Devices asset group or COLLEGE.DEPT.PCI-hostips asset group to document your unit’s compliance with the PCI DSS internal vulnerability scan.  Provide a copy to the Merchant Manager and University PCI Compliance office (cmgraves@umn.edu).
    • For vulnerabilities flagged as PCI Failed that will not be resolved in 12 weeks from first detected, contact Corey Graves (pmtcard@umn.edu) to document reasons and a timeline for resolution.

More In-Depth

For additional instructions on how to use Qualys VM for scans, maps, ticket remediation, asset groups and reports, see Qualys VM for Technical Users. Qualys maintains extensive documentation for each tab (i.e., Scans, Reports, Remediation) of the product under Help on the Qualys menu bar. Below are instructions to get you started.

Follow the Naming Conventions

  • Reporting Asset Groups:

PCI.COLLEGE.DEPT-Devices

  • Map & Scan Asset Groups:

COLLEGE.DEPT.PCI-hostips

  • Other asset groups should begin with:

COLLEGE.DEPT

Set up a Scan

There are multiple scan option profiles and features for running a scan, including scheduling or launching a scan immediately.

Scans tab in the Qualys portal.

Go to Scans and choose New -> Scan
Enter scan details and click Launch.

Scan details:

  • Title
  • Option Profile: Initial Options for University of Minnesota (default)
  • Scanner Appliance:
    • All Scanners in Asset Group (distributes the scan between the internal scan appliances on the University network)
    • Build my list (distributes the scan between the internal scan appliances on the University network)
    • Single scan appliance
  • Choose Target Hosts
    • Assets Groups: PCI.COLLEGE.DEPT-Devices or COLLEGE.DEPT.PCI-hostips
    • IP/Ranges
    • Exclude IPs/Ranges
  • Notification when scan is finished (optional)

Cancel or pause scan in the Qualys portal.

Results from scan are in the Qualys portal.

  • View report under Scans tab
  • Use Reports tab to create additional reports using the report templates
  • Asset Search under Assets tab

Maintain Ticket Remediation

The main remediation policy will create tickets for all confirmed 4 & 5 or PCI related vulnerabilities for the IP’s in PCI-Devices Asset Group.

  • Tickets will be assigned to the user running the scan.
  • Deadline date for determining overdue tickets is 30 days.

Run Reports

Schedule a report or launch on-demand using the various report templates.

Reports tab in the Qualys portal.

Choose New > Scan Report > PCI Scan Template

  • Report Template: PCI FAIL+Confirmed 4-5 Technical Report- Select Asset Group or IP
    • Results as of the last scan
    • Includes PCI FAIL status for each vulnerability (PCI org. determines which vulnerabilities to include in this report) or confirmed vulnerabilities at levels 4 & 5
    • Details on how to fix
  • Report Template: PCI Scan Report for Internal Scan- Select Host
    • Results as of the last scan
    • Includes PCI PASS and FAIL status for each vulnerability (PCI org. determines which vulnerabilities to include in this report).
    • Details on how to fix
  • Report Template:PCI Scan Report- Select Scan Results
    • Use to run a PCI scan report for a prior period or a specific scan
    • Results from a specific scan (includes option to include a specific IP)
    • Includes PCI PASS and FAIL status for each vulnerability (PCI org. determines which vulnerabilities to include in this report).
    • Details on how to fix

Schedule Scans, Maps, and Reports

Under the respective tabs in the Qualys portal, select Schedules tab.

Scheduling details:

  • Start date and time
  • Duration (optional) for scans and maps
  • Frequency
  • Notifications
  • Change schedule status (deactivate or reactivate)

For Reports, use the Notifications

  • Email to U PCI Compliance Office- Corey Graves
  • Subject Line: PCI (your unit)
  • Custom Message:

Review the report and remediate the vulnerabilities marked as PCI Severity HIGH.  The other vulnerabilities should also be remediated.

Per PCI DSS, all HIGH vulnerabilities need to be addressed in a timely manner and rescans performed to verify these vulnerabilities have been resolved.  If HIGH vulnerabilities will not be resolved in the next 12 weeks, contact Corey Graves.

For questions, contact University Information Security.

Content Last Reviewed: December 2017 by University Information Security