New PCI Internal Scanning Requirements
Internal scanning for PCI Compliance has been required for years, but as of July 2012, the following changes occurred:
- PCI has specified that at least high severity vulnerabilities must be remediated internally.
- Organizations must develop a process to assign a risk ranking for newly discovered vulnerabilities.
The goal of these new PCI changes is to empower merchants to ensure they are assessing all newly discovered threats, and appropriately prioritizing their internal remediation efforts. While PCI specifies that "at least high severity" issues must be remediated, they also provide the framework for merchants to assess and include additional high risk items as applicable for their environment.
So while the PCI standards have defined those vulnerabilities with a CVSS base score of 7-10 as high severity, ultimately the determination of exactly what must be fixed internally is left up to each merchant. Merchants must remediate at least the high severity items, but can include additional items at their discretion, as appropriate for their environment.
Qualys’ Recommended 3-Step Process for Internal PCI Scanning & Remediation
- Run a Scan using the Initial Options Default profile
-Optional: Authenticated Scanning can be leveraged to provide increased accuracy.
- Run a Report using the PCI Scan Report Template, with Custom Risk Ranking enabled
-Note: Enabling Risk Ranking will focus the report on the Internal requirements.
By default, without Risk Ranking enabled, the report is focused on the External PCI Scoring guidelines.
- Remediate all High Severity Items on the PCI Scan Report
Qualys has provided merchants the flexibility to adjust these rankings per the Risk Ranking feature in our new PCI Scan Report Template (Reports > Templates > New > PCI Scan Template). Enabling Custom Risk Ranking allows merchants to adjust these rankings either on an individual or global basis.
For example, if a vulnerability with a CVSS Base Score of 5 posed a significant risk to your environment, you could change its individual Risk Ranking from Medium to High risk, thereby ensuring it will be remediated as part of your internal remediation efforts.
The final phase of the PCI internal workflow is to mark off any potential false positives or exceptions. Unlike the external PCI process that requires ASV approval for any false positives or exceptions, internal issues can be fully managed by the merchant via either of the following two workflows:
- You can leverage the Close/Ignore function for each vulnerability by going to asset search, looking up the IP address, drilling down to the vulnerability in question, and then clicking on the red "Ignore" icon. You can then enter comments and click Save. This will ensure this item no longer shows up on any future reports.
- You can also leverage the Custom Risk Ranking function to lower the risk of a specific issue, so that it is no longer included as a high risk, and thereby not required for internal PCI. You can lower the Risk Ranking of a specific vulnerability by adding a Search List Exception to the PCI Risk Ranking section of the PCI Scan Report Template. You can also exclude multiple vulnerabilities, or categories of vulnerabilities, by leveraging Search Lists and applying them to the scanning or reporting template as appropriate.
In summary, the recent changes to the PCI-DSS help to provide additional clarity as to the minimum requirements for internal remediation, as well as provide a uniform framework that allows greater in-house control of what is a high risk vulnerability, thereby allowing merchants to better focus their efforts on those items that pose the greatest risk to their environment. Qualys' New PCI Scan Report Template allows merchants to focus on high severity items, as required for PCI internal compliance, and provides additional workflows for managing vulnerability exceptions internally.