In the present security landscape, precise PCI Assessments play a vital role within a comprehensive security approach. A closer examination of the endorsed scanning vendor (ASV) scans in accordance with requirement 11.2 reveals a common issue of improper scan configurations. The origins of this concern trace back over time (not a recent stipulation). In summary, organizations must ensure proper configuration of their ASV scans, encompassing all recognized URLs rather than restricting the scans solely to IP address ranges.

How to Fix ASV Scan Configuration to Include All Known URLs

Within the realm of Qualys, a commonly utilized platform for ASV scanning by various companies, a practical tool exists in the form of a PCI wizard. This wizard imparts specific instructions to each entity, guiding them in their adherence to the requisite standards. It is strongly recommended that organizations take the initiative to assess their existing procedures promptly. Should their current processes lack the inclusion of all essential components such as URLs, domain names, and other specifications as stipulated in the ASV program guide (referenced below), it is advisable to rectify this without delay and subsequently re-execute the most recent scan.

A comprehensive walk-through of configuring Qualys settings and their alignment with best practices follows. It is worth noting that the example provided (Qualys) is not meant to single it out or advocate for it exclusively, but is chosen for illustrative purposes due to its widespread usage.

1. Within the PCI version of Qualys, initiate the process by selecting the “Asset Wizard.”

PCI version of Qualys

2. The ensuing interface will be presented. In the event that this interface is devoid of content, it is highly likely that misconfiguration has occurred.

Asset Wizard

3. Essential information encompassing the full domain details and URL paths should be meticulously added.

full domain info AND URL Path

4. Subsequent prompts will inquire about load balancers.

load balancers

5. The successful configuration will be evidenced by the appearance at the bottom of the screen.

it should look like this at the bottom of the screen

Moreover, periodic revision of pertinent PCI requirements can prove to be beneficial. Encouragement is extended to all parties to peruse the comprehensive ASV Program Guide. To facilitate convenience, the segment of the guide containing specific guidance pertaining to URLs has been excerpted for reference starting from page 12: https://www.pcisecuritystandards.org/documents/ASV_Program_Guide_v2.pdf

Scan Customers Provide Internet-facing IP Addresses and Domains

Scan customers bear the responsibility of furnishing not only all external-facing IP addresses but also fully qualified domain names (FQDN) and distinct entry points to applications within their in-scope infrastructure. This encompasses a range of elements including:

  • Domains for all web-servers
  • Domains for mail servers
  • Domains used in name-based virtual hosting
  • Web-server URLs to “hidden” directories that cannot be reached by crawling the website from the home page
  • Any other public-facing domains or domain aliases

Making this slight alteration in your formatting will result in a smoother and more accurate scan ensuring a more effective and productive assessment.

For more information, contact Stewart Fey, sfey@lbmcstage.webservice.team or 615-309-2479.