In today’s security environment, conducting accurate PCI Assessments are an important part of an overall security strategy. I have been looking more closely at the approved scanning vendor (ASV) scans per requirement 11.2 and have noticed that many users are not configuring the scans correctly. It’s a long story on how this came to light (this is not a new requirement), but the short version is that organizations should be configuring their ASV scans to scan all known URLs, not just the IP address ranges.

How to Fix ASV Scan Configuration to Include All Known URLs

In Qualys, which many companies use for their ASV scanning, there is a PCI wizard that instructs each entity to do this. I would encourage organizations to review their existing processes right now, and if your existing process does not include inputting all URLs / domain names, etc. as required in the ASV program guide (see below), that you do this now and rerun your most recent scan.

I’ll walk you through the Qualys setting and how they should be configured. (I’m not picking on or endorsing Qualys, but since so many people use it, its the best example.)​

In the PCI version of Qualys click on Asset Wizard

PCI version of Qualys

Then this comes up.  If its blank…its almost guaranteed to be incorrectly configured.

Asset Wizard

Then add your full domain info AND URL Path.  

full domain info AND URL Path

Then you will be asked about load balancers.

load balancers

Finally, when everything is inputted correctly it should look like this at the bottom of the screen:​

it should look like this at the bottom of the screen

Additionally, it may be helpful to periodically refresh one’s memory on certain PCI requirements. I would encourage everyone to read the entire ASV Program Guide, but for brevity I have copied over the section that includes the specific guidance regarding URLs starting on page 12.

Scan Customers Provide Internet-facing IP Addresses and Domains

In addition to providing all external-facing IP addresses, the scan customer must also supply all fully qualified domain names (FQDN) and other unique entryways into applications for the entire in-scope infrastructure. This includes, but is not limited to:

  • Domains for all web-servers
  • Domains for mail servers
  • Domains used in name-based virtual hosting
  • Web-server URLs to “hidden” directories that cannot be reached by crawling the website from the home page
  • Any other public-facing domains or domain aliases

Making this slight alteration in your formatting will result in a smoother and more accurate scan ensuring a more effective and productive assessment.

For more information, contact Stewart Fey, or 615-309-2479.