Purpose

This document describe how to perform a PCI Scan.

Introduction

Outpost24 is a certified Approved Scanning Vendor (ASV) by the PCI Security Standards Council and offers OUTSCAN PCI, an extension of the OUTSCAN vulnerability management tool designed specifically to verify and prove PCI DSS compliance. OUTSCAN PCI examines network perimeters, identifies vulnerabilities and inventories actionable remedies, and can repeatedly scan until all criteria are met to effectively protect the integrity of cardholder data and verify compliance.

Performing a PCI Scan

For a successful PCI DSS scan, perform the following steps.

Add Targets

Caution!

Filling in IPs but not hostnames, causes VHOST lookups to fail during scanning, causing SSL/TLS certificate validation errors.


  1. Click on the Scope tab.
  2. In the Target field, click New to open the Add New PCI Target window.

    Note

    If this is the first time the PCI scan is performed, the Add New PCI Target window opens automatically.

     
    Add New PCI Target

  3. Add known targets by IP or host-name, and their respective network range.
    This immediate initialize a port scan of the whole network range, originating from the OUTSCAN scanning range (91.216.32.0/24). This is performed in accordance with the PCI DSS requirements regarding how to define your PCI DSS scope for external scanning.

    Targets
    Provide a newline separated list of all IP addresses with comma separated list of domains that are in scope for PCI ASV assessment.

    Example:

    192.168.200.1
    192.168.200.1|www.example.org,example.org
    192.168.200.1/24
    192.168.200.3-192.168.200.15
    host.domain.com


    Target Ranges
    Provide a newline separated list of IP ranges that are in scope for PCI ASV assessment.
    Example:

    192.168.200.1/24
    192.168.200.3-192.168.200.15
    host.domain.com
  4. Click Save.
  5. Manually confirm or delete unsupplied targets from the PCI DSS scope that were detected.

    Note

    You are required to confirm or delete these targets from the PCI DSS scope. If you have any questions regarding if they should be included in the scope or not, refer to the Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2 April 2016, your QSA or us (the ASV) for target.

  6. Once the scope of targets has been defined, Click New in the Scans field to open the Maintaining Scan Schedule.
  7. Select a time and date when the scan should be performed and click Save, or click Scan Now to start the scan manually.

    Note

    The PCI DSS requires you to provide compliant reports on a quarterly basis. It is recommended to perform the scan well in advance of this date to have time to resolve any new and unexpected risks/issues.

Report

Once the scan has finished, you receive an email notification and you can log in to see the report. The report state if you are compliant or not and this information is included in all the sections, so you can determine which issues are causing any compliance failure.

Address and resolve all vulnerabilities that are affecting the PCI DSS compliance.

Should a finding be wrong or report on the wrong premises (false positive). Then you can right click on the entry and select the option Dispute. To successfully dispute a finding, provide a full chain of evidence (when, where, and how) along with the documentation.

Note

That disputes are NOT to be submitted to the PCI SSC. Should you need help, such as what to present in the dispute, contact the Outpost24 Support.


Any findings that cannot be re-mediated may be mitigated by having compensating controls put in place. Refer to the Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2 April 2016 (Appendix B and C) for further information regarding requirements for compensating controls.

Note

Some findings require a special note to be supplied where you justify the business need for the detected service. If any comments are required, a dialog window opens before the report is exported. It is also possible to add the Special Note field to the reporting grid to determine their presence earlier, right clicking on the entry displays the option Comment special note in the context menu.


Export Report

A report can be exported using the Export Report option visible on the bottom left of PCI Scanning window. Reports can be customized using different reporting formats, types and levels.

Export Report


Format

A report can be exported in the most commonly and widely used document formats.

The available reporting formats are as follows:

  • PDF: This is the most commonly used reporting format. The reports generated in PDF format can be password protected.
  • Excel: The reports generated using excel format, have a lot of tabular information, which can be useful when reporting information to IT/Security department or similar divisions.
  • XML: This format is the default industry standard used for data exchange and integration. The reports generated in XML format are typically used for integration and automation.

Report Type

There are several report types, depending on the setup and license not all of them will be visible. Based on the type of scan and the type of information, select the corresponding report type.

  • PCI Report
  • Vulnerability
  • Group Vulnerability
  • Web App Discovery

Report Level

The report level helps you manage reports based on management hierarchy. It helps you generate the correct report based on how much information is needed and in which form. It can be observed that the information varies in the figures above, thus making each report exclusive depending on its functionality and audience.

There are three reporting levels:

  • Detailed
  • Summary
  • Management 

Detailed

The Detailed report is the longest report that can be generated. It has in depth technical information about findings, targets, risk-levels, CVSS, report and additional information about the finding. The report contains six chapters and has detailed information about all the vulnerabilities and targets. This report is mostly directed towards system administrators and security consultants in an organization. 

Summary

The Summary report is the ideal sized report with report information, executive summary and target summary. This report provides just about the right information required by the IT department of any organization. 

Management

The Management level report gives us a summary of the vulnerabilities and risks reported. It gives a good graphical overview of findings, risks, and top solutions. This report is ideal while reporting to higher management.

Other Information

Name

Provide the name of the report in this section. If left blank, a name is created as per the selected options. 

Email Address

Supply an email address in this field to send the report via email instead of downloading.

Note

The email address can be set globally in the Settings menu in top right corner.


Password

Enter a password in this field to password protected the report.  

Note

The password can be set globally in the Settings menu in top right corner.


Include Attachments (Zip)

If selected, the exported report is compressed with zip compression as standard.

Acknowledgements

After clicking Export, the Acknowledgement window is displayed. Select the boxes that apply and click Save to complete the export.

Note

That the four first tick boxes need to be selected before saving and committing the export.

Acknowledgements

Glossary

AbbreviationDescription
ASVApproved Scanning Vendor
CVECommon Vulnerabilities and Exposures
CVSSCommon Vulnerability Scoring System
DSSData Security Standard
PCI

Payment Card Industry

QSAQualified Security Assessor

Reference

PCI Compliance Scanning

External Reference

1)    Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2 April 2016