Manage Internal Vulnerability Scans for PCI DSS

Rapid7 InsightVM is the vulnerability scanner used to discovery map and scan systems and devices that are in-scope for the PCI DSS internal vulnerability scan and map requirement. Items in-scope include any system or device which processes, stores, transmits, or has the ability to impact the security of cardholder data.

This document provides responsibilities and instructions on how InsightVM discovery scanning, vulnerability scanning, false postive tracking, and reporting is used at the University of Minnesota by units for PCI DSS internal vulnerability scans and maps. Units manage the internal vulnerability scans for PCI DSS for their area.

Understand Your Responsibilities

  • Follow the naming convention for tagging assets (see Naming Conventions section).
  • Maintain the list of IP addresses of of systems and devices that are in-scope and on the University network in your InsightVM designated PCI site.  Include servers, workstations, terminals, printers, network infrastructure, and other devices. Email [email protected] with changes.
  • Discovery scan your PCI site at least weekly.
    • Review the discovery scan results for unknown or new devices.
    • Track down and remove the unknown devices from the network.
  • Vulnerability scan all IP addresses in the PCI site at least weekly.  Schedule scans when the devices are expected to be on-line.
    • Review the vulnerability scan results and mitigate the vulnerabilites detected.
    • Schedule a follow up scan for IP addresses that were not alive during the scan for when these devices are on-line.
  • Remediate vulnerabilities dectected. Mitigation could include applying a patch, changing the configuration, applying compensating controls, or documenting as a false positive
      • Fix and mitigate the high severity vulnerabilities flagged as PCI Severity HIGH within 30 days.
      • Fix and mitigate the other vulnerabilities on the report.
      • Run another vulnerability scan to verify that the vulnerabilities are mitigated.
  • Document mitigation plans, compensating controls, and false positives in InsightVM. Complete within 30 days of detection for vulnerabilties flagged as PCI Severity HIGH.
    • Send documentation to support a false positive request to University Information Security at [email protected] with subject PCI Internal Scan False Positive Request.  Include the IP address of the asset.  University Information Security group will review your request and respond.
  • Update your remediation plan/ mitigation strategy at least monthly for high severity vulnerabilities or those flagged as PCI FAIL.
  • Run reports at least monthly.
    • Use the Report Template: PCI Vulnerability Details report template and select the tag PCI-FAIL for internal scan to verify that all high severity and PCI Severity HIGH vulnerabilities have been mitigated or resolved.
    • Use the Report Template: !UMN PCI Host Details with Vuln Exceptions report template for documenting the completion of the internal vulnerabilty scan. See the section For the Monthly or Quarterly Report.
  • Submit a quarterly report to the Controller's Office to document your compliance with the internal vulnerability scan requirement in PCI DSS.
    • Send report to [email protected]
    • For vulnerabilities flagged as PCI Severity HIGH that will not be resolved in 12 weeks from first detected, contact Corey Graves ([email protected]) to document reasons and a timeline for resolution.

Preparing the Monthly or Quarterly Report

  • Compare the lists of IP addresses scanned for the current quarter to your unit’s inventory list of systems and devices that are in-scope. Click on your PCI site - lists IP addresses that responded to ICMP ping.
  • Verify that all IP addresses in your PCI site have a scan for the current month or quarter.
    • For systems that are retired or decommissioned, locate the asset and add the Decommissioned tag to the asset IP address.
    • For others, schedule a vulnerability scan.
  • Verify that all PCI Severity HIGH vulnerabilities have been mitigated or documention is current.  Run report using the Report Template: PCI Vulnerability Details using tag PCI-FAIL for Internal Scan.
  • Run and save a copy (outside of InsightVM Portal) of the report using the Report Template: !UMN PCI Host Details with Vuln Exceptions with your unit's PCI site to document your unit’s compliance with the PCI DSS internal vulnerability scan.  Provide a copy to the Merchant Manager and University PCI Compliance office ([email protected]).
    • For vulnerabilities flagged as PCI Failed that will not be resolved in 12 weeks from first detected, contact Corey Graves ([email protected]) to document reasons and a timeline for resolution.

More In-Depth

For additional instructions on how to use InsightVM, see UMN Documentation for Units. InsightVM maintains extensive documentation for each task (i.e., Scans, Reports, Remediation) of the product under Help on the InsightVM menu bar. Below are instructions to get you started.

Follow the Naming Conventions

  • Sites:

PCI-COLLEGE-DEPT (e.g., PCI-CFANS-Arboretum)

  • Tag each asset in the site (generally this is done during site configuration):
    • PCI, PCI-Site name, High Security Level, Location (campus), Collegiate/Admin Unit, Department

Setting up a Scan

There are multiple scan option profiles and features for running a scan, including scheduling or launching a scan immediately.

See Scanning Documentation for Units (Available for UMN users of InsightVM.  Authentication required.)

Results from scan are in the InsightVM portal.

Requesting a False Positive Exception

Identify the vulnerability for the request, under the Exceptions column for the vulnerabiility, click on Exclude and provide the information requested.

Running Reports

Schedule a report or launch on-demand using the various report templates.

Reports in the InsightVM portal:

  • Report Template: PCI Vulnerability Details
    • Results as of the last scan
    • Lists only assets with a vulnerability
    • Includes PCI FAIL status for each vulnerability (PCI org. determines which vulnerabilities to include in this report). To list only assets with a CVSS vulnerability greater than or equal 7.0, select the tag PCI-FAIL for internal scan)
    • Details on how to fix
  • Report Template: !UMN PCI Host Details with Vuln Exceptions
    • Results as of the last scan
    • Lists all assets (including assets with no vulnerabilities)
    • Includes all vulnerabilities and vulnerability exceptions
  • See Configure advanced settings to schedule a recurring report !UMN PCI Host Details with Vuln Exceptions and to add report distribution recipients (e.g., U PCI Compliance Analyst- Corey Graves at [email protected]). 

For questions, contact University Information Security.

Content Last Reviewed: September 2019 by University Information Security

More Information

Intended Audiences

IT Staff and Partners

Additional Resources

Security Vulnerability Monitoring
University Information Security