PCI Compliance

Agenda
q PCI Compliance Overview and Setup (LAB 1)
q PCI Compliance Scanning (LAB 2)
q PCI Compliance Reporting (LAB 3)
q Web Application Scanning for PCI
q Self Assessment Questionnaire (LAB 4)
q Qualys Policy Compliance (PC) (LAB 5)
 PCI DSS BASICS

3 Qualys, Inc. Corporate Presentation

PCI Data Security Standard
Data Security Standard1:
• The DSS was built to provide a framework for cardholder
data security.
• It is an outline of requirements which are both technical and
operational to protect said data.

3. 1.
Report Assess

2.
Repair
1https://www.pcisecuritystandards.org/
PCI Stakeholders
Payment Brands – Defines Compliance Standards
Acquirer – Bank that verifies compliance
Approved Scanning Vendor – Required by PCI DSS for
performing PCI compliance scans
Scan Customer or Merchant – Responsible for defining
PCI scope and maintaining compliance with the PCI DSS.
PCI Security Standards Council

Founded in 2006 by American Express, Discover Financial Services, JCB

International, MasterCard Worldwide and Visa, Inc.

“The PCI Security Standards Council is a global forum for the ongoing
development, enhancement, storage, dissemination and
implementation of security standards for account data protection.”1

1https://www.pcisecuritystandards.org/
Role of the PCI SSC

PCI Security Standards Council

Certify Self Certify

Outline Approved Assessment Qualified
the DSS Scanning Questionnaire Security
Vendors Assessors
PCI Data Security Standard

Validated
Requirements

Requirements Recommendations

PCI
DSS
http://www.pcisecuritystandards.org
PCI DSS1
2. Do not use vendor
1. Install and maintain a 4. Encrypt transmission
supplied defaults for
secure firewall 3. Protect stored of cardholder data
system passwords and
configuration to protect cardholder data. across open, public
other security
cardholder data. networks
parameters.

5. Protect all systems

against malware and 6. Develop and maintain 7. Restrict access to 8. Identify and
regularly update anti- secure systems and cardholder data by authenticate access to
virus software or applications. business need to know. system components
programs.

10. Track and monitor 12. Maintain a policy

9. Restrict Physical 11. Regularly test
all access to network that addresses
Access to cardholder security systems and
resources and information security for
data. processes.
cardholder data. all personnel.

1Navigating the PCI DSS (v3.2) from

https://www.pcisecuritystandards.org/document_library?category=pcidss&documen
t=pci_dss
Approved Scanning Vendor

To become an Approved Scanning Vendor (ASV),

Qualys completed the following requirements:
1. Applied as a company
2. Completed the scanning vendor testing and
approval process
3. Executed an agreement with the PCI SSC
ASV Responsibilities and Requirements

§ Perform External Vulnerability Scan without IDS/IPS interference, and determine

if scan customer passed the assessment.
§ Submission of the Attestation of Scan compliance sheet.
§ No dangerous or disruptive testing (Scans do not intentionally alter or penetrate
customer environment).
§ Provide a means for the scan customer to dispute the findings of the ASV’s scan.
§ PCI reporting
§ Consulting with scan customer to determine if the IP addresses found are
included in scope.
§ Retain results for at least 2 years.
§ Perform Host and Service Discovery, OS Fingerprinting.
§ Account for Load Balancers.

**https://www.pcisecuritystandards.org/documents/asv_program_guide_v2.0.pdf
 PCI SCOPE

12 Qualys, Inc. Corporate Presentation

Cardholder Data Environment

• The cardholder data environment (CDE) is

comprised of people, processes and technologies
that store, process, or transmit cardholder data or
sensitive authentication data.
**The primary account number is the defining factor for cardholder data. If cardholder name,
service code, and/or expiration date are stored, processed or transmitted with the PAN, they
must be protected in accordance with applicable PCI DSS requirements.
Scope of PCI DSS
• PCI DSS applies to all system components that store, process, or
transmit cardholder data and/or sensitive authentication data.
• The PCI DSS requirements apply to all system components
included in or connected to the cardholder data environment.
• “System components” include network devices, servers, computing
devices, and applications.

**https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
Network Segmentation

Network segmentation is not a PCI DSS requirement.

However, it makes good sense because it may reduce:
• The scope of the PCI DSS assessment
• The cost of the PCI DSS assessment
• The cost and difficulty of implementing and maintaining
PCI DSS controls
• The risk to an organization (reduced by consolidating
cardholder data into fewer, more controlled locations)

**Source: https://www.pcisecuritystandards.org/documents/pci_dss_v3.pdf
 QUALYS COVERAGE OF PCI DSS

16 Qualys, Inc. Corporate Presentation

Qualys Coverage of PCI DSS Requirements

o 11.2.2 External Scan (with Advanced Workflow)

• False Positive Submission
• Qualys Attestation
• Compliance Report Submission to Acquiring Bank
o 6.6 Web Application Scanning
o 1.1.6 Open Services Report
PCI Advanced Workflow

• Review scan results

• Remediate Vulnerabilities

Submit false positives

• Current Vulnerabilities
Approval

Request Review
• Compliance Reports

Counter-signed Attestation

Submit to acquiring bank

Certified report
Additional Qualys Coverage
Qualys Vulnerability Management (VM)
ü 11.2.2 External Scan (PCI Option Profile)
ü 11.2.1 Internal Scan
ü 6.1 Ranking of Internal Vulnerabilities (PCI Report Template)
Qualys Web Application Scanning (WAS) and Web Application
Firewall (WAF)
ü 6.6 Web Application Scanning
Qualys AssetView (AV)
ü 2.4 Inventory of in-scope components
Qualys Policy Compliance (PC)
ü PCI DSS Mandate (requirements 1 – 12)
 QUALYS PCI COMPLIANCE APPLICATION

20 Qualys, Inc. Corporate Presentation

Home Page
Compliance Network
Status
Scans

Navigation

Quick Answers
And Help
SAQ
Navigation

Click any section in the

left navigation pane to
see a list of options.
Users

All users have the same access privileges.

Symantec VIP

Use 2 factor authentication to access your account.

• Activate Symantec VIP for two-factor authentication.

• Download Symantec VIP app to your smart phone or tablet.
Account Settings

• Edit Merchant name

and address
• Add your bank’s
information –
Necessary for
submitting report
• Subscription
information
IP Assets

• View existing IP
addresses and
Domains.
• Add/Remove IPs
• View Out of
Scope IPs.
• Launch Discovery
Scan.
Getting started - IP Wizard
 PCI COMPLIANCE SCANNING

28 Qualys, Inc. Corporate Presentation

Qualys Cloud Platform
IaaS Providers

Cloud Asset

Internal Scanner
QUALYS PLATFORM
• Strong Data Encryption
• Firewalls
• IDS
• TLS communications
Internal
Asset
External Scanner Pool
External
Asset
Qualys User

Corporate Environment
Appliances support Vulnerability Management, Policy Compliance, and Web Application Scanning
PCI DSS Requirement 11.2

Run internal and external network vulnerability scans at least quarterly

and after any significant change in the network, such as:
• new system component installations
• changes in network topology
• firewall rule modifications
• product upgrades
PCI DSS 11.2.2
External Scanning

• “Perform quarterly external vulnerability scans, via an Approved

Scanning Vendor (ASV) approved by the Payment Card Industry
Security Standards Council (PCI SSC).
• Perform rescans as needed, until passing scans are achieved.”
Scanning Lifecycle
PCI Workflow for External Scanning

• Review scan results

• Remediate vulnerabilities
Log in
• Scan
• Run New Submit false positives
Asset Wizard • Open vulnerabilities
page Approval

Connect
and share • Open compliance Submit attestation
status page Counter-signed
Approval
Log in

• Scan

Submit to
Certified acquiring bank
report
PCI Network Scanning

Network scans target external facing hosts within your PCI

scope.
PCI Network Scanning
Scheduled Scans

Automate your PCI scans using the Qualys Scheduler.

Bandwidth Options

Bandwidth presets (High, Medium, Medium-Low, Low,

Lowest) allow you to control the amount of network
bandwidth consumed by the PCI scan traffic.
Scan Results

Download and view any scan result.

Vulnerability List

Search for
IP

Filtering
Mechanisms
Vulnerabilities

Severity Level
Vulnerability Details
Compliance Scanning Objective

So, what do we REALLY need to fix for PCI

compliance?
Answer: Fix the vulnerabilities with the fail flag.

Sort by PCI Fail Vulnerabilities.

Vulnerabilities – PCI Pass/Fail

• Qualys PCI uses the CVSS Base score provided

by NIST.
• If no CVSS score exists, the service provides one.
PCI Fail Summary
False Positives

• All false positives need to be submitted every quarter,

and approved by your ASV.
o Approved False positives carry a 90 day life
o Qualys PCI automates the false positive submission process
• Submit False positives 2 weeks before any deadline.
• Approved False positives will be displayed in your generated PCI
reports.
False Positive
Request for Review
• Submit request from 1. Scan your
environment.
“Current Vulnerabilities” list.
6. Reporting 2. Fix all
• Repeat steps two and three Process. vulnerabilities
multiple times, before
submitting a false positive
• Process repeats every 5. Verify 3. Rescan to
90 days. False
Positives are
verify all
vulnerabilities
approved. are fixed

4. Submit
False
positives.
 PCI COMPLIANCE
WITH
VULNERABILITY MANAGEMENT

45 Qualys, Inc. Corporate Presentation

Qualys Vulnerability Management (VM)

• 11.2.2 External Scan (PCI Option Profile)

• 11.2.1 Internal Scan
• 6.1 Ranking of Internal Vulnerabilities (PCI
Report Template)
Link PCI to VM
Scan with PCI Option Profile

Perform external scans (PCI 11.2.2) using an external scanner appliance.

Export External Scans to Qualys PCI

Export scan results to Qualys PCI in preview pane.

Alternatively: run final scan in the PCI Compliance application,

after verifying results in VM.
PCI DSS 11.2.1
Internal Scanning

• “Perform quarterly internal vulnerability scans and

rescans as needed, until all “high-risk” vulnerabilities
(identified in Requirement 6.1) are resolved.”
• Ranking of internal vulnerabilities changed from
recommendation to requirement (6.1 req.) on June 30,
2012
Internal Scanning Approach
Recommended:
1. Scan with “Initial Options” Option Profile
2. Report using PCI Scan Report Template
3. Remediate all High Severity (CVSS 7-10) Vulnerabilities
Internal Scan Report Template

• Scan internal systems for

PCI compliance (PCI
11.2.1) using Qualys VM
• Rank internal
vulnerabilities per the 6.1
requirement
Internal Scanning and Ranking
Scan Hosts
within Internal
PCI Scope

Report using the

Create a PCI
template to to
Scan Template
verify a clean
and run a report
internal report

Scan again to
Remediate the
verify those
“High”
vulnerabilities
Vulnerabilities
are fixed
 Lab 2

Mapping and Scanning

54 Qualys, Inc. Corporate Presentation

 COMPLIANCE REPORTING

55 Qualys, Inc. Corporate Presentation

Compliance Home

View Vulnerabilities

Overall

In Scope IPs Download Report of

Current Vulnerabilities
Report Flow
7. Submit
Report to 1. Scan
Acquirer

Reporting Workflow 6. Receive 2.

begins at step 4. Report
back from
Vulnerability
Remediation
ASV Process

Reports must be
submitted to your
5. Submit 3. False
acquiring bank on a Report for Positives
Attestation Process
Quarterly basis. 4.
Generate
Report
Reports – Reporting Wizard

• Use the Report Generation Wizard to “help you review

findings, perform required attestation, generate PCI
network reports that you can later submit to your acquiring
bank for PCI certification.”
 Attest to Scan Compliance

• Merchant/Service
Provider will
submit report to
ASV.

• ASV will sign

document.
Executive Report
Technical Report
Tracking Reports

• Generated
• Pending Review
• Attested
• Submitted
Submit to Bank

Once Qualys attests to your submission, you can then

submit the report to your bank.
Report Submission Contents

Report will contain the following:

1. Coversheet with Attestation of Scan Compliance from the customer and Qualys.
2. Executive Summary containing overall PCI score with any approved False Positives
and special notes.
3. Scan vulnerabilities details.
Acquiring Bank

• Validates
Merchant
compliance.
• Report to Credit
Card companies.
DSS – Open Services
Section 1.1.6

Documentation and business justification for use of all services,

protocols, and ports allowed, including documentation of
security features implemented for those protocols considered to
be insecure.”
Open Services Report

Identify Authorized and Unauthorized services.

 Lab 3

Compliance Report

68 Qualys, Inc. Corporate Presentation

 WEB APPLICATION SCANNING

69 Qualys, Inc. Corporate Presentation

DSS 6.6 In-Scope
Web Applications
Address new threats and vulnerabilities on an ongoing basis
and ensure these applications are protected against known
attacks by either of the following methods1

1. Reviewing public-facing web applications via manual or automated application

vulnerability security assessment tools or methods, at least annually and after any
changes. (Qualys WAS)
2. Installing an automated technical solution that detects and prevents web-based
attacks (for example, a web-application firewall) in front of public-facing web
applications, to continually check all traffic. (Qualys WAF)

1 https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
Qualys WAS
Overview

Automated Testing (Fault Injection)

• Primarily syntax-based checks:
ü submit “specially crafted” characters
ü observe the server’s response

Supplements Manual Testing Results

• Automated tools effectively detect Web application bugs.
• Human beings are much better at discovering program
design flaws.
Automated Testing

Easily detected by automated tools:

• Cross site scripting
• SQL injection
• Command injection
• Misconfigurations

This represents 80 – 85% of Web application vulnerabilities.

Do Automated Tools Get Everything?

• Logic Errors and Design Flaws: point of authentication vs. point of

authorization
o Forced Browsing Links - user forces access to unauthorized link.
• Permission Errors: file system permissions have a significant
impact on application security.
o Public file share that has employee payroll and medical records.
These types of vulnerabilities typically require manual testing and
detection.
Web Application Scanning

WASC www.webappsec.org
divides Web vulnerabilities into
six categories
• Authentication
• Authorization
• Client-side Attacks
• Command Execution
• Information Disclosure
• Logical Attacks
Web Application Scanning
Introduction of Web Application Security
Testing a Web App for Vulnerabilities

• Targeted Protocols: HTTP and HTTPS (any port number).

• These are standard web app services and in most cases are open.
DMZ

Internal
Web Application Architecture

Application Database

Client
Browser
IE, FF, Web Server Application Legacy
Safari, iCab HTTP/H
Service
ec… TML

Application Merchant
Services,
etc
Qualys WAS Lifecycle

1. Define
the
Application

4. Report 2. Discovery
Scan

3.
Vulnerability
Scan
Qualys PCI
Web Application Setup

New Web applications are created in the ACCOUNT section of navigation pane.
Qualys PCI
Web Application Auth Record
Crawl via authenticated or non-authenticated user.

Best Practice: Test Web applications from the perspective of multiple user levels.
Qualys PCI
Web Application Scan
Qualys PCI
Web App Scan Results
View Scan results and report
 SELF-ASSESSMENT QUESTIONNAIRE

83 Qualys, Inc. Corporate Presentation

Merchant Level Requirements

Merchant Levels 2, 3, and 4 are eligible for the Security Assessment Questionnaire.
SAQ - A

Card-not-present Merchants, All Cardholder Data

Functions Outsourced
• Third party handles processing, storage, and/or
transmission of cardholder data.
• Merchant confirms third party handling of cardholder data
is PCI DSS compliant
• Merchant does not store or process cardholder data.
SAQ - B

Merchants with Only Imprint Machines or Standalone, Dial-Out

Terminals
• Does not transmit cardholder data over a network (either
internal or Internet).
• Standalone dial-out terminal not connected to other systems.
• No data stored in an electronic format.
SAQ - C

Merchants with Payment Application Systems Connected to the

Internet
• Company has a payment application system and an Internet
connection on the same device and/or same local area network
(single store LAN only)
• The payment application system/Internet device is not connected
to any other systems within
• Merchant does not store data electronically.
SAQ – C-VT

Merchants with Web-Based Virtual Terminals

• Company’s only payment processing is done via a virtual terminal
accessed by an Internet-connected web browser.
• Computer is isolated and not connected to other locations or
systems.
• Merchant’s VT is provided and hosted by a PCI DSS validated third
party.
• No electronic storage of data.
SAQ - D

All Other Merchants and All Service Providers Defined by a

Payment Brand as Eligible to Complete an SAQ
• All SAQ-eligible merchants not outlined in A, B,C, C-VT.
SAQ Tips

• Any answer of “No” is considered non-compliant.

• Yes, N/A, and Compensating Controls are the
other options.
• "Compensating controls may be considered when
an entity cannot meet a requirement explicitly as
stated, …but has sufficiently mitigated the risk
associated with the requirement through
implementation of other controls.”
PCI SAQ v3 Content
Qualys Security Assessment Questionnaire (SAQ)
 Lab 4

SECURITY ASSESSMENT QUESTIONNAIRE

93 Qualys, Inc. Corporate Presentation

 POLICY COMPLIANCE

94 Qualys, Inc. Corporate Presentation

PCI DSS Mandate

Addresses areas in all twelve (12) requirements of the PCI DSS.

 Lab 5

PCI DSS POLICY

96 Qualys, Inc. Corporate Presentation

 Thank You

training@qualys.com

97 Qualys, Inc. Corporate Presentation

PCI Compliance
Training Labs
 All Material contained herein is the Intellectual Property of Qualys and cannot be
reproduced in any way, or stored in a retrieval system, or transmitted in any form or
by any means, electronic, mechanical, photocopying, recording, scanning or
otherwise, without the express written consent of Qualys, Inc.

Please be advised that all labs and tests are to be conducted within
The parameters outlined within the text. The use of other domains or IP addresses is
prohibited.

2
Contents
PCI Compliance ........................................................................................................................................ 1
Training Labs ......................................................................................................................................... 1
Introduction ................................................................................................................................................. 3
Qualys and Internal Scanning .................................................................................................................. 3
Qualys and External Scanning .................................................................................................................. 4
Geographical Considerations ................................................................................................................... 4
Architectural and Network Considerations ............................................................................................. 4
Process Considerations ............................................................................................................................ 5
LAB 1: Account Activation and Setup .......................................................................................................... 6
Prerequisites/System Requirements ....................................................................................................... 6
Login to Qualys ........................................................................................................................................ 7
Update User Profile ............................................................................................................................... 10
General Information .......................................................................................................................... 11
User Role............................................................................................................................................ 11
Notification Options .......................................................................................................................... 12
Security .............................................................................................................................................. 13
Account Settings .................................................................................................................................... 14
Activate PCI Compliance Application ..................................................................................................... 15
LAB 2: PCI Scanning ................................................................................................................................... 18
External Scan using Vulnerability Management (VM) ........................................................................... 18
Share with PCI .................................................................................................................................... 20
External Scan using PCI Compliance ...................................................................................................... 22
Scan Results and Vulnerabilities ........................................................................................................ 23
Submit False Positive ............................................................................................................................. 26
LAB 3: PCI Compliance Reports.................................................................................................................. 28
Individual Host Vulnerability Report...................................................................................................... 28
Generate Compliance Reports............................................................................................................... 29
Open Services Report ............................................................................................................................ 31
LAB 4: Security Assessment Questionnaire ............................................................................................... 32
SAQ User Roles and Participants ........................................................................................................... 32
Create Recipient ................................................................................................................................ 32
Create Reviewer ................................................................................................................................ 33
Create Approver ................................................................................................................................ 34
Create a Campaign................................................................................................................................. 35

1
 Answer Questions .................................................................................................................................. 39
Monitor Campaign Progress .............................................................................................................. 40
LAB 5: Policy Compliance PCI-DSS Policy ................................................................................................... 43
Policy Scope and Asset Groups .............................................................................................................. 43
Create Windows Compliance Asset Group ........................................................................................ 43
Create Unix Compliance Asset Group ................................................................................................ 44
Compliance Scanning ............................................................................................................................. 46
Authentication Records ......................................................................................................................... 46
Create Unix Authentication Record ................................................................................................... 46
Create Windows Authentication Record ........................................................................................... 48
Create Custom Compliance Profile ........................................................................................................ 50
Launch Compliance Scans ...................................................................................................................... 52
Unix Compliance Scan........................................................................................................................ 52
Windows Compliance Scan ................................................................................................................ 53
LAB 6: PCI mandate Report (30 min.) ........................................................................................................ 55
Add Technologies to Policy ................................................................................................................ 55
Define Policy Scope............................................................................................................................ 56
Add PCI controls to Policy .................................................................................................................. 57
Mandate Report Template .................................................................................................................... 59
Create Mandate Report ......................................................................................................................... 60
Viewing PCI Compliance Resources ........................................................................................................... 61
Contacting Support .................................................................................................................................... 61

2
Introduction
The purpose of this class is to familiarize you with the functionality of the Qualys PCI Compliance
application. The primary focus will be on the 11.2.2 requirement of the PCI Data Security Standard
(DSS).
PCI Compliance is an operational task. In order to properly manage this task, the following steps have
been outlined as best practices for use with Qualys PCI.
Here is an outline of tasks you will perform in this lab:
I. Obtain a Trial account – You will create your own trial account in this lab. You will use this
account to walk through the process for the 11.2.2 requirement.
II. Set up IP assets - Configure your IP addresses within the user interface, so they can be scanned
for PCI compliance.
III. Map (Discover) the network – Discover devices within the environment and verify the Qualys
scanners can reach the public, external IP addresses you’ll be scanning for compliance.
IV. Scan the network – Scan your network for vulnerabilities and review which ones you will need
to fix to be compliant.
V. Remediate any necessary risks – Patch/resolve the failing vulnerabilities for the IP addresses
which are part of your Cardholder Data Environment (CDE).
VI. Submit False Positives
VII. Report on scans – Build your reports, which will include an Executive and Technical Report.
VIII. Submit Attestation to ASV
IX. Submit Report to Acquiring Bank
Maintaining the ongoing progress of PCI Compliance is necessary for business and security purposes. In
order to process credit cards, you must be PCI Compliant. The process repeats itself every 90 days. The
Qualys PCI Compliance application will require a scan within 30 days of the report submission.
The labs within this workbook are based on the best practices outlined above, and each lab builds on the
last.

Planning Qualys PCI Compliance Deployment

While many of you will have already deployed Qualys Vulnerability Management or Qualys PCI in an
enterprise environment, there are still deployment considerations that can be useful as your
deployment scales to meet the needs of the enterprise. Qualys can help with your compliance initiative
in various locations of the PCI Data Security Standard. This particular class will focus on the external
11.2.2 requirement.

Qualys and Internal Scanning

While this class will focus on the external requirement, there are other parts of the DSS where Qualys
can help you with compliance. The 11.2.1 requirement of the DSS requires the scanning for
vulnerabilities on the internal Cardholder Data Environment (CDE).

3
The 6.1 requirement of the DSS now requires you to resolve all internal vulnerabilities classified as
“High”. Combined with the 11.2.1 requirement, it specifies the Scan Customer must rescan internally
until all vulnerabilities labeled as “High” are resolved.
This process differs, however, from the 11.2.2 requirement because there is no attestation process
needed.
You can use the Qualys Vulnerability Management application and a Qualys Scanner Appliance you’ve
installed in your environment to help you meet the 11.2.1 requirement of the DSS.

Qualys and External Scanning

The external scanning requirement of the DSS has a unique process. It involves several different parties
working together to achieve a common goal: PCI Compliance. To fully understand the requirement, you
need to understand the parties involved.
Payment Brands – The payment brands (ex. Visa, MasterCard, etc) is the entity enforcing the overall PCI
standard.
Acquiring Bank (Acquirer) – The bank that processes the credit card payments for the merchant.
Approved Scanning Vendor (ASV) – A company approved by the PCI Security Standards Council allowing
it to perform external scans for the 11.2.2 requirement.
Scan Customer – The merchant or service provider required to be compliant. The Scan Customer will
use the scan solution provided by the ASV to meet the 11.2.2 requirement for compliance.
Qualys (and some Qualys Partners) is an Approved Scanning Vendor (ASV). As a Scan Customer, you will
use the service provided by the ASV to scan your environment for vulnerabilities. The Qualys PCI
interface allows you to go through the entire process for this 11.2.2 requirement.

Geographical Considerations
With most enterprises existing in multiple locations, geographic considerations need to be included in
the deployment design. Time zone challenges, manned and unmanned facilities do play a role in the
deployment.
The 11.2.2 requirement of the PCI DSS requires those publically accessible IP addresses of your
Cardholder Data Environment (CDE) to be scanned for vulnerabilities. The Qualys Cloud Platform allows
you to scan those IP addresses (wherever they are in the world) with no additional software or
equipment to maintain.

Architectural and Network Considerations

After any geographical considerations are taken into account, the next step needs to be determining the
best deployment for a given geographical location, based on architectural and network requirements.
Here are some considerations you might need to take into account when scanning a network for PCI
Compliance.
1. How many segments will need to be scanned?
a. How many hosts are on each segment?
b. Can you segment hosts off the network that don’t need to be scanned to
reduce the scope for PCI Compliance?

4
 2. Are there internal and external segments that need to be scanned? For PCI
compliance (DSS 11.2.2), the bank requires a report on all externally facing devices.
For PCI compliance (DSS 11.2.1), merchants are required to scan internally, but no
report submission is typically required for internal devices.
3. Are VLANs being used?
Understanding the architectural foundation of the network is paramount to understanding the needs of
your enterprise.

Process Considerations
Process Considerations must also be considered. These are the Qualys PCI processes you will
refine over time, but to start, there needs to be a general understanding of the need.
1. What are the sizes of the proposed scanning windows? Depending on the policies
within your enterprise, there may be a specific amount of time during which devices can
be scanned.
2. How often will you need to scan your externally facing devices? Every 90 days or every
quarter you are required to send a passing report to your bank. As a best practice,
Qualys recommends you scan at least every 30 days to ensure remediation of any found
vulnerabilities. You will also want to allow time to submission of false positive requests.
3. What are the remediation windows for the hosts? Another process to take into
consideration is the remediation time frames an enterprise may have. Those
vulnerabilities which impact private data may have to be remediated in a very small
time frame.

5
LAB 1: Account Activation and Setup
This lab will address the steps needed to activate your Qualys student account, followed by steps to
enable the Qualys PCI Compliance application. Please complete all the Lab 1 exercise steps, before
advancing to subsequent labs.

Prerequisites/System Requirements
To perform the exercises in this lab, you will need:
1. Qualys Account (Qualys student accounts are active for 14 days)
2. Web Browser
– Internet Explorer 9, 10, 11, or greater
– Mozilla Firefox (latest version from stable release channel)
– Google Chrome (latest version from stable release channel)
– Safari (latest version)
3. Java Browser Plug-in
4. PDF file reader

Tip: Your browser’s Pop-up Blocking configuration can interfere with the proper functioning of the
Qualys User Interface. Please modify the settings of your Web browser to allow pop-ups from the
qualys.com domain.

6
Login to Qualys
Student account credentials for Self-Paced training classes are automatically generated and sent to your
email inbox, within 2 business days (please enroll with your business or company email address…public
email accounts are not supported).
Student account credentials for Instructor-Led training classes are provided by the Qualys class
instructor.
Your student account is active for 14 days (from the date it was created). Please contact
training@qualys.com with account credential issues or questions.

1. Open your Qualys student trial account message/document.

2. Record the USERNAME from this document and save it in a secure place.
**The period at the end of the sentence is NOT a part of the USERNAME.
3. To obtain the password, click the link found in the registration document.

7
 For security, the Login username on this page appears partially obfuscated with ******.
4. On the activation page, enter the OTP code found from the registration document and click
Submit (If it’s been over 30 minutes since you received the registration document, the OTP
code will not work; use the Resend button to generate a new OTP code.

For security, the Login username on this page appears partially obfuscated with ******.
5. Record the PASSWORD from this document and save it in a secure place.

8
6. Use the link provided to login and activate you Qualys student trial account.
NOTE: All the student accounts are located on the following Qualys Cloud Platform. It
is recommended to bookmark the following URL in your web browser for the ease of
access.
USPOD 3 - https://qualysguard.qg3.apps.qualys.com/

7. Select the check box to accept the “Service User Agreement” and click the “I Agree” button.

9
 8. Enter your current password, and then chose a new password.

Record this new password, you will need it to activate the PCI Compliance application.

9. Click the “Save” button, followed by the “Close” button.

10. Log back in to your student account using your new credentials.

Update User Profile

The steps that follow will help to personalize your student user account, and make other adjustments
that will provide a more effective training environment.

1. Click on your User ID (located between “Help” and “Logout”) and select the “User Profile”
option.

10
General Information
Make any necessary adjustments to the “General Information” section of your user profile.

2. Update the “E-mail Address” field with your current e-mail address (notifications and
password reset information will be sent to the address you provide).

User Role
Different Qualys user accounts, take on different user roles.

3. Click “User Role” in the navigation pane (left), and make note that your student account “User
Role” is: Manager, and you can access your account using the Graphical User Interface (GUI) or
the Application Program Interface (API).
11
Notification Options
All notifications will be sent to the e-mail address specified in the “General Information” section.

4. Click “Options” in the navigation pane (left), and make the appropriate selections for the type of
notifications you would like to receive.

12
Security
Individual security settings can be configured for two-factor authentication, and Security Questions are
provided to facilitate any attempt to reset a user password.

5. Click “Security” in the navigation pane (left), and take a moment to complete the Security
Questions.
6. Click the “Save” button.

Completing these Security Questions is a requirement for using the “Forgot Password” link found on
the Qualys Login page.

13
Account Settings
Changes made to account settings will affect all user accounts in your Qualys subscription.

1. Click on your User ID (located between “Help” and “Logout”) and select the “Account
Settings” option.

2. Click the “Security” setup option.

3. Increase your Session Timeout value to the maximum (240 min.)

This adjustment will help you to maintain an ACTIVE session throughout the entire training class.
4. Click the “Save” button, followed by the “Close” button.

14
Activate PCI Compliance Application
Once you have activated your Qualys student account, you’ll need to enable the PCI Compliance
application.

1. Click the application drop-down menu, and select the “PCI Compliance” application.

2. Click the “Activate Now” button.

15
 You will need to modify your company name to resolve the displayed error.

3. To make your company name unique, simply append your email address to the existing
company name (e.g., Qualys Training_me@mail.com).
4. Enter the password you selected for your Qualys student account, and click the “Save” button.
Once an “account link” of this type has been created, it can be viewed, modified, or deleted using
the “PCI Account Links” setup option.

5. Navigate to A) the “Scans” section and click B) the “Setup” tab.

6. Click the “PCI Account Links” option.
The link you see here will be used to share external scan data from VM to PCI.

16
 All PCI Account Links will initially appear with a FAIL status. This however will change, as new or
additional scan results are collected. Each unique link is identified by its merchant name and
merchant user account. You can create additional links from this window and/or delete existing
links.
7. Click the “Cancel” button, return to the Scans Setup options.

17
LAB 2: PCI Scanning
This lab will have you perform two external PCI scans, using two separate Qualys applications, to
demonstrate your options when meeting this PCI DSS requirement.
The first scan will be performed using Qualys Vulnerability Management (VM), where you will learn how
to share the VM scan results with PCI.
The second scan will be performed using Qualys PCI Compliance (PCI).

External Scan using Vulnerability Management (VM)

The Qualys Vulnerability Management application can be used to meet the external (11.2.2) PCI
scanning requirement. VM scan results can then be shared with the PCI Compliance application.
1. From the Vulnerability Management application, navigate to the “Assets” section, and click
the “Host Assets” tab.
2. Click the “New” button and select the “IP Tracked Hosts” option.
3. Click “Host IPs” in the navigation pane (left).

4. In the “IPs” field, type the IP address range for the target host assets (64.41.200.243-
64.41.200.250).
5. Select the “Add to Policy Compliance Module” check box.
6. Click the “Add” button, followed by the “Apply” button.

7. Use the “Quick Actions” menu to launch a scan against these host assets.

18
8. Enter “External PCI Scan using VM” in the “Title” field.
9. Select “Payment Card Industry (PCI) Options” in the “Option Profile” field.
This Option Profile is required for external PCI scans.
10. Set the target IP address range to “64.41.200.245-64.41.200.247” and click the “Launch”
button.
11. When the “Scan Status” window is displayed, click the “Close” button.

12. Navigate to A) the “Scans” section and B) the “Scans” tab, to monitor your scan.

19
Share with PCI
When your external PCI scan has reached the “Finished” status, you can share its results and findings
with the PCI Compliance application.

1. Navigate to the “Scans” section, and click the “Scans” tab.

2. Click the title of your finished scan to display its “Preview” pane.
3. From the “Preview” pane, click the “Share with PCI” link.
The link to your PCI Merchant account was established back in Lab 1, when you activated the PCI
Compliance application

4. From the “Share PCI Scan” window, select the radio button for your “PCI Merchant” account,
and click the “Share” button.

5. To view the shared results in the PCI Compliance application, click .

20
6. Scroll down and accept the Service User Agreement, and click the “I Agree” button.

7. Click “Network” in the navigation pane (left) and click the “Scan Results” option.
You can now work with and process the shared results, using many of the PCI Compliance tools
and features, that will be demonstrated in the labs that follow.

21
External Scan using PCI Compliance
The same network scan performed in the previous exercise, will now be performed using Qualys PCI
Compliance. Both types of scan results (created with VM or PCI) will benefit from the “Advanced
Workflow” features found in the PCI Compliance application.

1. Click “Network” in the navigation pane (left) and select the “New Scan” option.

2. Enter a Title of “External Scan using PCI”.

3. Select the “All IPs” radio button.

4. Click “OK” to launch your scan.

PCI compliance scans do not provide many scanning options, because the PCI Security Standards
Council dictates the scanning requirements to all Approved Scanning Vendors.

22
5. After successfully launching your PCI Compliance Scan, Click the “Go to Scan Results” option.

Scan Results and Vulnerabilities

The “Scan Results” page lists running, finished, and canceled scans.

Icons:
Cancel a running scan.

Re-run a scan using the same parameters.

View a scan.

Download the scan results.

View vulnerabilities found during the scan.

Obtain information about the scan such as what IPs were scanned, the date of the scan, and bandwidth.

You can also cancel running scans from here. From the Scan Results, you can take actions on any scan.

1. When your scan is “Finished” click to download your results into PDF file format.

23
The Qualys PCI application identifies host vulnerabilities, and whether or not each vulnerability results in
a compliant or non-compliant host status (based on requirements defined in the PCI DSS).

In most cases, if a vulnerability has a severity level of HIGH or MEDIUM, it causes a PCI “Fail” status.
There are some exceptions, where a LOW severity vulnerability (i.e., below a score of 4.0) could also
cause a “Fail” status. The Qualys PCI Compliance application removes the guesswork for you, by
marking vulnerabilities that cause a “Fail” status, with an easy-to-see label.

1. Expand the “Network” menu in the navigation pane, and select the “Vulnerabilities” option.

24
 Click A) the “Search for IP Address” field to search for vulnerabilities by host IP address. Click any
check box under B) “Potential Severity Level” to filter “Potential” vulnerabilities. Click any check
box under C) “Confirmed Severity Level” to filter “Confirmed” vulnerabilities. Other filtering
options include “False Positive” status and “PCI Fail Vulnerabilities.”

2. Type “SSH” in D) the “Filter Results” field.

3. Click any column header in the displayed list of vulnerabilities to change the default sort
order:
– Vulnerability Title
– Severity
– IP address
– Scan Date
4. Remove your existing filter options, and then select the check box,
to focus your list on the vulnerabilities that will result in a PCI “Fail” status.

25
Submit False Positive
You can request a review of any suspected “false positive” vulnerability detection. If the request you
submit is approved, it will NOT cause a PCI fail for 90 days. All false positives must be resubmitted every
quarter as per the PCI Data Security Standard. If the false positive is rejected, you must resolve the
vulnerability and confirm the fix worked with another scan.

Once the false positive is approved, it will also be removed from the most recent Scan Results Report.
The vulnerability for the host will also be removed from the vulnerability list for the appropriate host.

The False Positive process should begin after you’ve remediated all that you can remediate.

1. Find a failing vulnerability, and click on the checkbox next to it.

2. Click the “Review 1 False Positive” button.

3. Click the plus sign next to “Vulnerability Details” and “Results.”

It’s important to do your due diligence when you are submitting a false positive. When Qualys
(the ASV) receives the false positive, it will review whether it’s valid.

4. Enter the following text: “Student Test Submission – Please auto reject.”
5. Click the “Submit False Positive Request” button.

Obviously, this is where you would normally put a reason to indicate the vulnerability is in fact a
false positive.

26
6. Click the link (upper left).

7. Navigate to Network > False Positive History. Here you will see whether your False Positive
was requested, approved, rejected, or expired.

If you click on the information button, you can see all the information pertaining to a false
positive, and track where it is in the submission process. Listed below are the possible statuses
for a false positive.

27
LAB 3: PCI Compliance Reports
Individual Host Vulnerability Report
You can create an individual Vulnerability Report for any “scanned” host. The report can be sent to your
Operations team or those people responsible for remediation.

1. Expand the “Compliance” menu in the navigation pane, and select the “Compliance Status”
option.

2. Select the checkbox next to any “non-compliant” host IP, and then click the “Download Report”
button.

The downloaded report identifies current vulnerabilities. It will indicate a “fail” or a “pass” next to
each vulnerability to help you identify the vulnerabilities that must be fixed for PCI Compliance.

You can use the search tool within your browser or document reader to find a specific QID number.

28
Generate Compliance Reports
After you pull the report to see the vulnerabilities, you need to remediate all the issues in your
environment that have a next to them. After the vulnerabilities are all resolved, and the false
positives are approved, you can submit the passing report for attestation and then to the bank.
1. Navigate to Compliance > Compliance Status.

2. Click “Generate Report.”

The Wizard will walk you through submitting your report to your ASV (i.e., Qualys). Qualys will need
to attest to your report before you can submit it to your bank for compliance purposes.

3. Click “Next,” and then click “Enter a single comment for all issues.”

4. For the question, “Is the software securely implemented?” You can click “No.” Enter your
comment, and click “Next”.
5. Click “Next.” Then enter your name and your title.
Remember, you will need to agree that the scope of your scan is your responsibility, not that of the
ASV. You must also take into account that the report you are submitting does not represent your
overall compliance status.
6. Enter your submission title. For instance, “Q1 –PCI report” Press Generate Report.

7. Once your Report Generation is complete, click the “Next” button.

8. Click the “Request Review Later” button.

Here, you will see the status of your report. You have not yet submitted your report for Attestation.
You can view the Executive Report and the Technical Report. You can also submit the report to your
bank, which is the final step in the PCI Compliance process.

9. Click on the Executive and Technical Reports icons, to view their contents.
Both of these reports get submitted to Qualys (ASV) when you click “Request Review.” The
technical report can help with identifying vulnerabilities and assist with remediation if necessary. All
vulnerabilities marked with a “FAIL” will need to be resolved for PCI Compliance.
10. Make note of the “Status” and “Next Action” columns in your report.
The following table provides “Status” and “Next Action” descriptions:

29
For this lab, you will NOT submit the Attestation; the “Request Review” link is normally used for this
purpose. An “Attested” report received from Qualys, could then be submitted to your acquiring
bank.

30
Open Services Report
The open services report meets requirement 1.1.6 of the PCI DSS. It allows you to view the open ports
and active services found on each device, and classify them as authorized or unauthorized. This report
will reflect the services, ports and protocols detected in your most recent scan.

1. Click “Network” in the navigation pane and select the “Open Services Report” option.

Here you will see all of your open services per host and you can download a report in PDF or CVS
format for your devices.

2. Click the check box next to any service running on any host.

3. Click the “Classify as” button, followed by the “Authorized” option.

4. Add the following comments: “This service is an approved service for this device”.

Services should be marked in accordance with your organization’s security policies and system
hardening standards.

5. Click the “Submit” button.

6. Click on any item in the “Classification” column to change an existing classification, or click any
item in the “Comments” column to view or add comments.
The service will record your comments along with the date the comments were updated.

31
LAB 4: Security Assessment Questionnaire
Through automated campaigns and data collection, Qualys Security Assessment Questionnaire expands
the scope of compliance data to include administrative and procedural controls.
Here are just a few examples of the things you can accomplish with Qualys SAQ:
• Third-Party Risk Assessment – Identify and assess the compliance of your vendor, partner,
supplier and other third-party relationships.
• Internal Audit Management – Expand the scope of your compliance visibility by querying and
evaluating internal infrastructure and IT processes.
• Security Training and Awareness – Evaluate employee and contractor comprehension of
security policies, procedures, and training curricula - before and after security training sessions.
• End-to-End Security Compliance – Accelerate and extend security compliance by combining
technical controls assessment (Qualys Policy Compliance) with procedural controls assessment
(Qualys Security Assessment Questionnaire).

SAQ User Roles and Participants

1. Open the Qualys SAQ application.

2. Click the “Start 14-Day Trial” button, followed by the “Confirm” button.
3. Click the “Close and Continue” button (do not play introductory video).

Create Recipient
A “Recipient” will receive an invitation to join a “Campaign” you have created and is
responsible for answering and responding to Questionnaire questions.

1. Navigate to A) the “Users” section.

2. Click B) the “Add User” button, and enter the following information:

32
 Use a valid email address, one you can access from your present location.
3. Click the “Add User” button.

Create Reviewer
A “Reviewer” is responsible for reviewing the responses submitted by any given recipient.

4. Click and enter the following information:

5. Click the “Add User” button.

33
Create Approver
An “Approver” is ultimately responsible for approving responses submitted by any given
recipient.

6. Click and enter the following information:

7. Click the “Add User” button.

34
Create a Campaign
A “Campaign” contains one Questionnaire and identifies all campaign participants.

1. Navigate to A) the “CAMPAIGNS” section.

2. Click on B) the “New Campaign” button.

3. Type “PCI Compliance Campaign” in the “Campaign Name” field.

4. Select a due date 90 days from today.
5. Click the “Take me to Template list” button.

35
6. Select “PCI” in the left navigation pane.
7. Select Payment Card Industry (PCI) Data Security Standard – Self-Assessment Questionnaire
(SAQ) A and Attestation of Compliance.
8. Click the “Add” button and then click “Next”.

9. Use the “Workflow” drop-down menu to select the “Full (4-Stage Workflow)” option.
10. Use the “Reviewer” drop-down menu to select the SAQ Reviewer user.
11. Use the “Approver” drop-down menu to select the SAQ Approver user.

36
12. Click the “Next” button.
13. Click the “Take me to Recipients list” button.

14. Place a check to the left of the SAQ Recipient user and click the “Add” button.

15. Click on the “Next” button twice and click “Create & Launch”.

37
16. Click the “Send” button to email the invitation to the SAQ Recipient user.

38
Answer Questions

1. Using the email account/address, specified when creating the “Recipient” user, open the
email invitation and click the “Start Questionnaire” button.

2. Choose a new password for the “Recipient” user.

WARNING: logging in and activating the “Recipient” user account will typically logout the
“Manager” user (i.e., the account you have been using up to this point).

39
 3. Click the “Quick Actions” menu, and select the “View Questions” option.

4. Fill in the input fields for A) Company Name, B) Contact Name, and C) Contact Title.
5. Click the “Save & Exit” button.

Monitor Campaign Progress

1. Log out of the “Recipient” user account, and log back in as the “Manager” user.

2. Open the Qualys SAQ application.

40
3. From the SAQ “Dashboard”, click the “PCI Compliance Campaign” link to view the campaign
details.

You can monitor the progress of each campaign, and review question responses.

4. Navigate to the “Reports” tab and click on “New Report”.

5. Set the “Report type” field to “Campaign Report” and click .
6. Select the “PCI Compliance Campaign” from the dropdown and click again.

41
7. Click the “Download” button and select “Portable Document Format (PDF)” and click .

8. When your report reaches the “Complete” status, double-click to download and view.

42
LAB 5: Policy Compliance PCI-DSS Policy
The Policy Compliance application can be used to assess host compliance with various regulations,
frameworks, and security policies.
In this lab exercise, you’ll launch a compliance scan to collect data points from the host assets you
target. This scan will check whether the scan target is configured as per the technical requirements “PCI-
DSS” Policy.

Policy Scope and Asset Groups

Each policy you create must identify the hosts it will audit (the policy scope). Asset Groups and
Asset Tags are the tools used for identifying which assets are impacted by each policy you
create.
In this section, you will create two Asset Groups that will be used to define the scope for
policies you will create later.

Create Windows Compliance Asset Group

This first Asset Group will only contain Windows-based hosts.

1. Navigate to A) the “Assets” section, and click B) the “Asset Groups” tab.
2. Click the “New” button and select C) the “Asset Group…” option.
3. Give your Asset Group the title, “Windows Compliance AG”.

43
 4. Click “IPs” in the navigation pane and then click the “Select IPs/Ranges” link.

5. Click the “Expand” icon to expand the IP address range.

6. Place a check mark next to the following IP addresses:
ü 64.41.200.246
ü 64.41.200.247
ü 64.41.200.248
ü 64.41.200.249
7. Click the “Add” button, followed by the “Save” button.

Create Unix Compliance Asset Group

1. From the Asset Groups tab click the “New” button and select the “Asset Group…” option.
2. The Title for this Asset Group is: “Unix Compliance AG”.

44
3. Click “IPs” in the navigation pane.
4. Click the “Select IPs/Ranges” link.

5. Click the “Expand” icon to expand the IP address range.

6. Place a check mark next to the following IP addresses:
ü 64.41.200.243
ü 64.41.200.244
ü 64.41.200.245
ü 64.41.200.250
7. Click the “Add” button, followed by the “Save” button.

The “Asset Groups” tab now contains two Asset Groups that will be used later to define the SCOPE of
your policies.

45
Compliance Scanning
A compliance scan collects data points (defined in the Qualys Control Library) from the host
assets you target.
While some policies can be created in the absence of compliance scan data, the availability of
compliance scan data will help you test and evaluate controls as you add them to a policy.
Before you launch your first compliance scan, you will need to create authentication records
for the Windows and Unix hosts, and build a Compliance Profile with your custom scanning
preferences.

Authentication Records
Authentication is a requirement of the Policy Compliance application. Authentication is
available for multiple OS platforms, services, and software applications. The lab exercise steps
that follow, will create two authentication records: one for Unix and one for Windows.

Create Unix Authentication Record

1. Navigate to A) the “Scans” section and select B) the “Authentication” tab.

2. Click C) the “New” button and select “Unix Record”.
3. Type “qscanner with Sudo” in the “Title” field.

46
4. Click “Login Credentials” in the navigation pane, and enter the following credentials:
User Name: qscanner
Password: abc1234!

5. Click “Root Delegation” in the navigation pane and click the “Add Root Delegation” button on
the right. Select “Sudo” from the dropdown menu for “Root Delegation”.
Enter password: abc1234!
6. Click the “Save” button.
The ‘qscanner’ account has been configured for root delegation via Sudo.

7. Click “IPs” in the navigation pane.

8. Add the following IPs: 64.41.200.243, 64.41.200.244, 64.41.200.245, 64.41.200.250.

Please use a text editor to review and clean your input, if using Copy & Paste.
9. Click the “Create” button.

47
Create Windows Authentication Record

1. Navigate to A) the “Scans” section, and click B) the “Authentication” tab.

2. From the Authentication tab, click C) the “New” button and select “Windows Record…”
3. Type “qscanner as Domain Admin” in the “Title” field.

4. Click “Login Credentials” in the navigation pane, and ensure the “Domain” radio button is
selected (under Windows Authentication).
5. Select “Active Directory” using the “Domain Type” drop-down menu.
6. Type “trn.qualys.com” (omit quotes) in the “Domain name” field.
7. Type the following Username and Password (case sensitive):
User Name: qscanner

48
 Password: abc1234!

8. Click “Save”.
NOTE: Qualys Scanner Appliances use an Active Directory API call that retrieves the IP
addresses for all domain members. Therefore, IP address information is NOT required, when
creating an Active Directory Authentication Record.

49
Create Custom Compliance Profile
A Compliance Profile contains your scanning options and is a required component of every
compliance scan. Create a custom Compliance Profile that contains all the required options
for your compliance scans.

1. Navigate to A) the “Scans” section, and select B) the “Option Profiles” tab.
2. Click the “New” button and select C) the “Compliance Profile” option.
3. Name the profile “Custom Compliance Profile”.
4. Click “Scan” in the navigation pane (left) and select the “Auto Update expected value” check
box, under the Integrity Monitoring section.

5. Select (check) both Control Types: “File Integrity Monitoring” and “WMI Query Checks.”
These special control types work together with user defined controls (UDCs) you create for File
Integrity Monitoring and WMI Query Checks.
• File Integrity Monitoring – Enable to collect the hash values needed to perform file
integrity checks on both Unix and Windows systems.
• WMI Query Checks – Enable to perform WMI queries that collect the kind of data that
cannot be acquired from Active Directory or the Windows Registry.

6. Click the “Dissolvable Agent” link to activate the Dissolvable Agent for your subscription.
7. When prompted, click the “Accept” button, followed by the “Close” button.

50
8. Once the Dissolvable Agent has been accepted, select all of the “Dissolvable Agent” check
boxes.
Only a Manager can activate the Dissolvable Agent, allowing users to leverage its functionality:
• Password Auditing – Perform password auditing tests to identify user accounts with: empty
passwords (CID 3893), passwords equal to the user name (CID 3894), or passwords found in
your own custom password dictionary (CID 3895).
• Windows Share Enumeration - Find Windows shares that are readable by everyone and report
the number of files for each share on each host (Control ID 4528) and whether the files are
writable. This is good for identifying groups of files that may need tighter access control.
• Windows Directory Search - Select this option to include one or more Windows Directory
Search UDCs in the scan, that search for files/directories using many criteria such as file name,
user accounts, and specific user access permissions.
At scan time, Dissolvable Agent is installed on Windows devices to collect data, and once the
scan is complete it removes itself completely from target systems.
9. Save your Option Profile.

Your “Custom Compliance Profile” will now become the default profile for your compliance
scans, giving you all the functionality needed for the exercises in this lab.

51
Launch Compliance Scans
In this section you’ll launch two separate compliance scans. The first scan will target the Unix
Asset Group, and the second scan will target the Windows Asset Group.

Unix Compliance Scan

1. Navigate to A) the “Scans” section, and select B) the “PC Scans” tab.
2. Click the “New” button, and then select C) the “Scan” option.

52
 3. Give your scan the title “Unix Compliance Scan” and use the “Custom Compliance Profile” you
created.
4. Select the “Unix Compliance AG” Asset Group as your scan target.
5. Click the “Launch” button to start the scan.
6. Click the “Close” button to close the “Scan Status” window.

Windows Compliance Scan

1. Once again, click the “New” button, and then select the “Scan” option.

2. Give your scan the title “Windows Compliance Scan” and use the “Custom Compliance Profile”
you created.
3. Select the “Windows Compliance AG” Asset Group as your scan target.
4. Click the “Launch” button to start the scan.
5. Click the “Close” button to close the “Scan Status” window.

53
 You can monitor the status of any scan, from the “PC Scans” tab.

All scans are initially queued, before they begin running. Note: The scans you just launched will
only collect data points for controls already in the Controls Library.
Wait for a scan to finish, before attempting to work with its results.

6. When your scans have FINISHED, use the “Quick Actions” menu to view results.
Successful authentication is critical to the Policy Compliance application. All authentication
issues must be addressed to ensure accurate compliance results.

Use the “Authentication Issues” information provided in the scan report, to help you find
authentication issues encountered during a specific scan.
Please make note of any host IPs that were found to have authentication issues. Data points will
not be available for these host assets, until the authentication issue is corrected.

54
LAB 6: PCI mandate Report
We can start by creating a ‘blank’ policy, and manually adding all policy components (i.e.,
technologies, assets, and controls) related to PCI-DSS .
1. Navigate to the “Policies” section and click the “Policies” tab.

2. From the “Policies” tab, click A) the “New” button, followed by B) “Policy” and select C)
“Create from Scratch…”.

Add Technologies to Policy

3. Use the “Search technologies” drop-down menu to select the following UNIX and Windows
technologies:
• CentOS 6.x
• Oracle Enterprise Linux 5.x
• Oracle Enterprise Linux 7.x
4. Click the “Next” button.

55
Define Policy Scope

5. Add the “Unix Compliance AG” Asset Groups to this policy and click the “Next” button.
6. Name your policy: “PCI Policy” and click the “Create” button.

The Policy Editor displays a blank policy. Controls have yet to be added.
7. Change the section title from “Untitled” to “PCI Controls.”

56
Add PCI controls to Policy

1. Click the “Add Controls” button.

2. Click the “Search” button and select the “Payment Card Industry Data Security Standard (PCI-
DSS) Ver 3.2” framework.
3. Set the criticality to “URGENT” and click the “Search” button.

57
4. Select all controls by clicking on the checkbox located below the “Search” button.
5. Click the “Add” button to add the controls to the policy.

6. Select the “Evaluate now” checkbox and save the policy by clicking on the “Save” button.
7. Close the “Policy editor” window.

58
Mandate Report Template
The Mandate Report Template provides some very useful report filtering options. The next
few steps will create a custom Report Template that focuses on PASSED and FAILED control
tests.
1. Navigate to the “Reports” section and click the “Templates” tab.

2. Click A) the “New” button and select B) the “Mandate Template” option.
3. Type “Failed Controls Template” in the “Title” field.

4. Click “Layout” in the navigation panel (left).

5. Change the “Report Layout” options to focus on “Passed” and “Failed” controls.
6. Click the “Save” button.

59
Create Mandate Report

1. From the “Templates” tab, use the “Quick Actions” menu for the “Failed Controls Template”
to Run a report.

2. Type “Failed Controls Policy Report” in the “Title” field.

3. Select “Failed Controls Template” in the “Report Template” field.
4. Select “HTML pages” from the “Report Format” drop-down menu.

5. Under “Mandates” select the “Payment Card Industry Data Security Standard (PCI-DSS)”.

6. Under “Policies” select the “PCI Policy”, which was created earlier.
7. Under “Report Source” select the “All Assets in Policy” and click the “Run” button.
8. When your report is displayed, scroll past the trend and data to view the PASS and FAIL results
for various hosts.

60
Viewing PCI Compliance Resources
Also, there is a user guide, PCI frequently asked questions, and PCI Council information. It’s located right
under the Contact support section.

Contacting Support
Try as we may, inevitably, you will need to contact support. In order for us to properly, and efficiently
troubleshoot issues, we will need information from you.
There are 3 ways to contact support:
• The Qualys PCI Interface
• Email to support@qualys.com
• For Critical issues – call Support:
U.S. and Canada: +1.866.801.6161 24x7
Europe, the Middle East and Africa: +33.1.41.97.35.81 24x7
UK: +44 1753 872102 24x7

61
With the Qualys PCI interface, you will have all the necessary information at your fingertips. From
Qualys PCI on the left, click “Contact Support.”

62