How do you know you’re doing it right?
You need to scan all IPs which are allocated to systems which are in scope for assessment. Scope of assessment is based on systems storing, processing or transmitting cardholder data or being connected to systems handling cardholder data. For your external vulnerability scan, you must use an Approved Scanning Vendor (ASV) and scan all public facing interface addresses of in-scope systems.
If you do not know the full extent of your scope then you need to take a step back and review your network diagrams and data flows to understand the scope of compliance requirements. If your scope has not been reduced based on the issued guidance on network segmentation or removal of cardholder data, the chances are that your entire network is in scope and all systems and interfaces must be scanned.
'Doing it right' for PCI means having a passing vulnerability scan for all in-scope systems per quarter.
This means you have achieved a 'pass' according to the risk ranking used for internal vulnerabilities, based on CVSS scoring. For external scans, it means the ASV has not identified any 'PCI Fail' vulnerabilities on your external interfaces and websites.
Depending on your risk appetite and management of security, 'doing it right' may mean something quite different. Performing more regular scans and remediation exercises on systems in-scope and out-of-scope should mean the following:
- You will identify vulnerabilities across all environments
- You will identify vulnerabilities earlier
- You will not face a backlog of vulnerabilities to remediate prior to the end of the quarter
All of the above can help to reduce the overall security risk to the business for cardholder and non-cardholder systems.
A practical approach to achieving passing scans for PCI while maintaining a vulnerability scanning strategy for your entire organisation is to use scanning profiles. You could use a single profile for in-scope environments and alternate profiles for other environments, perhaps based on criticality to the business. For PCI scans, a passing scan result can be submitted for compliance quarterly, reporting requirements are based on the categorisation of the business. For other scans, reducing risk using an internally agreed risk ranking system, documenting a baseline and reducing the risk of that baseline over time may be a sensible objective.
Using schedules, you might alter scan frequency for various environments depending on identified risk factors.
The following is extracted from the PCI SSC issued ASV program guide…
The scan customer may dispute the findings in the ASV scanning report including, but not limited to:
- Vulnerabilities that are incorrectly found (false positives)
- Vulnerabilities that have a disputed CVSS Base score
- Vulnerabilities for which a compensating control is in place
- Exceptions in the report
- Conclusions of the scan report
- List of components designated as segmented from PCI-scope by scan customer
A false positive means that a vulnerability has been identified in a system which could not or does not exist on that system. For example, an IIS vulnerability identified on an Apache server or an openSSH vulnerability identified where you can evidence the vulnerability is not present on the version in use. When you have identified and proven a false positive, inform your ASV (or flag as a false positive in your scanning tool). The false positive flag should not identify this vulnerability for 1 year. At that point, you'll need to flag it as a false positive again (if it is still identified as such).
A compensating control for a vulnerability scan is the same as any other compensating control. There must be a valid business or technical justification as to why you cannot meet the requirement and the compensating control in place must at least satisfy the intent and vigour of the original requirement. You must also have a methodology for validating and maintaining the compensating control. It is the responsibility of your QSA to approve any compensating controls in use as part of the assessment process.