Last updated at Tue, 25 Jul 2017 15:54:36 GMT

Every Customer, (Merchants, Service Providers), should be acquainted with the fact that they must assign their quarterly external scans to an Approved Scanning Vendor certified by the PCI Council. What is less known is that external scans conducted after network changes and in between quarterly scans, as well as quarterly internal scans, may be performed by the company's internal staff as long as they are "qualified" and use "appropriate tools".

"Qualified Staff", "Appropriate tools", What does that mean?

So far the PCI Council has been sparing with clarification of those terms. If your Organization is subjected to on-site audits it's up to the auditors, (QSA or ISA), to determine the pertinance of the scan solutions and the level of qualification of your staff. If you aren't subject to on-site audits, these aspects could be evaluated by a forensic investigator upon compromise. On both cases, you'd better be on the safe track.

While we are waiting for clarification from PCIco, let me share with you my personal understanding of what is expected from internal, "Qualified," staff and, "Appropriate," tools within the context of quarterly and adhoc internal scans.

Qualified Staff

"I've never laid an egg in my life. And yet I feel more qualified than a chicken to judge the quality of an omelette" - Max Favalelli

To be considered qualified, your internal staff should be continuously educated, (trained, certified   collect of CPE points), within the context of IT network scanning and IT vulnerability management. More specifically, they should possess up-to-date technical knowledge, skills, and ability to identify, assess, and report IT related vulnerabilities and misconfiguration through the use of your appropriate scanning tools.

In addition to the technical abilities, your staff should be familiar with the following considerations applicable to ASV such as:

  • Scope determination
  • Management of false positives/false negatives,
  • Determination of CVSS scoring and their exceptions
  • Determination of the severity levels based on the NVD and CVSS scoring
  • Management of interferences such as IDS/IPS, Firewalls
  • Determination of PASS/FAIL status.
  • Vulnerabilities and misconfigurations leading to immediate failure such as the identification of default accounts and passwords.
  • Quality Assurance

Appropriate tools

"A bad workman always use bad tools" - Quebec quote.

The scanning tools are as important as the knowledge, skills, and ability of the staff. To be considered, "appropriate," a scanning tool should fit the PCI requirements that are described in the ASV program guide.

  • Be non-disruptive
  • Perform host discovery
  • Perform service discovery on all TCP and common UDP ports
  • Perform OS and Service fingerprinting
  • Cover all platforms used on the organization IT infrastructure
  • Report vulnerabilities that have a reasonable level of identification certainty and all the others (Potential vulnerabilities)
  • Regularly updated (baseline of vulnerabilities).
  • Perform authentication checks
  • Report vulnerabilities and misconfigurations on: firewall, operating systems, database servers, web servers, application servers, DNS servers, Mail servers, Web applications, Common services, Wireless access points.
  • Detect built-in accounts backdoors and other malicious programs
  • Detect the presence of SSL/TLS and associated encryption & signature algorithms, certificate validity
  • Detect remote software
  • Report associated CVSS score
  • Determine PCI Severity and Compliance according to CVSS scoring
  • Fail any vulnerability and misconfigration associated with a CVSS score equal to 4 or above.
  • Provide guidance to solve identified issues
  • Provide a risk score for all vulnerabilities.
  • Pass any Denial of service vulnerability.
  • Fail any vulnerability and misconfigration associated with a CVSS score equal to 4 or above.
  • Fail the following issued independently of the CVSS Score:

o    Default accounts and passwords,

o    DNS  unrestricted zone transfer

o    Unvalidated parameters that lead to SQL injection attacks

o    Cross-site scripting (XSS) flaws

o    Directory traversal vulnerabilities

o    HTTP response splitting/header injection

o    Backdoors, malware, rootkits, and Trojans

o    SSL version 2.0 or earlier version

Results should preferably be presented through a high level and detailed perspectives.

  • The High level perspective should include the overall compliance as well as the component compliance listed by IP address and of course the scan date and name of the manager of the scanning team.
  • The detailed perspective should include all vulnerabilities along with the affected IP(s), detailed information, fixing guidances, CVSS score, PCI Severity, Compliance status and a note in case of exception or false/positive.

Note: ASV scanning solutions have been configured in such a way to support the above requirements. The best tactic would be to choose one of these solutions which are available for internal usage.


ASV program guide


Have you ever wondered about and tried to get clarification around these terms?

What is your understanding of "Qualified" and "Appropriate"?

Do your scanning tools and staff comply with the proposed approach?

Is this newsletter valuable for the security community?

Make sure to check out our previous newsletter #20 - PCI DSS and SANS Top 20 Critical Security Controls: The Sumo match.