Fortra PCI Service

Schedule quarterly external scans required for Payment Card Industry (PCI) compliance within Fortra VM. Scan results and reports can be scheduled and reviewed in the platform, and a Fortra PCI analyst will work with you, to validate compliance to auditors and resolve necessary vulnerabilities.

TIP: Required PCI compliance documents are available from the PCI Security Standards Council (PCI SSC), including the Payment Card Industry Data Security Standard (DSS) and the ASV Program Guide.

PCI scanning

The following is the recommended process for maintaining PCI compliance through Fortra vulnerability management.

  1. Schedule a PCI scan.

    Two workflow options:

  2. Review scan results for potential compliance issues.

  3. If compliance is not reflected in your PCI scan results:

    • Resolve PCI relevant vulnerabilities.

    • Submit a PCI Dispute for any vulnerabilities you believe inaccurately reflect your PCI status, by working with your Fortra PCI Analyst.

  4. Once all vulnerabilities have been addressed re-run your PCI Scan.

  5. Requisition a PCI Report and submit PCI compliance documentation.

PCI administration

Users can only perform PCI tasks in Fortra VM with the necessary permissions or role assignment. Permissions can be modified by Enterprise Admins in the Users & Roles section under the System menu. See Users and Roles for more details.

PCI specific roles and permissions
System Roles: 

    PCI User is an extended user role that includes: 

    • Scan policy administration including Scan Groups

    • Report administration (including PCI reports)

    • PCI ASV dispute administration

User Permissions: 

    Toggle the following permission to ON to activate the associated Fortra VM tasks in a user's profile:

    PCI ASV dispute administration: This permission set provides the ability to dispute PCI vulnerabilities.

PCI scan

Run a PCI scan using scan groups

PCI scans can be scheduled by utilizing a scan group. Scan groups utilize schedules to automatically run selected scans and simple report creation by pre-selecting the scans originating from the scan group. This prevents having to search for individual scans listed in the report creation screen. This scanning system is beneficial for any organization running a large amount of scans, or recurring scans with similar names. Fortra VM also allows for notifications pertaining to scan group activity to easily track PCI scans and report activity, when setup through a scan group.

Setup a scan group: 

  1. From the Scan Groups page, select the + New scan group button.

  2. Create a new scan group with the work-flow designation of PCI Assessment.

    Complete the Name, Schedule, Email Notifications, and Reporting Options.

    IMPORTANT: If you would like WAS scans to be automatically generated from the VM scan targets, toggle Auto-Generate WAS Scans to ON.

    Save the scan group.

  3. Use the + Add scan button to attach individual scans to the scan group. This will allow all selected scans to run concurrently with the prescribed schedule for your scan group.

    NOTE: If auto-generation of WAS scans is toggled to OFF, it is necessary to add both WAS and VM scans to the same scan group for PCI compliance scanning. Use the drop-down in the site header to toggle between WAS and VM interfaces and add each scan to the scan group you created.

  4. After the scan is complete, navigate to Reports > History to start creating your PCI compliance report .

    TIP: If you need to re-run your PCI compliance report after resolving failed vulnerabilities you will need to use the Multi-Scan method.

Run a PCI scan

The multi-scan method is beneficial if scans need to be re-run for failing vulnerabilities or additional targets.

Setup a multi-scan:

    Fortra VM

  1. From the Scan Activity page, select New scan and fill in the scan details.

  2. Select PCI Assessment from the Workflow options and use the Scan Targets fields to add a scope to your scan (e.g. host IP addresses, ports, asset groups).

  3. Select Create and run when finished to start or schedule the scan.

  4. Use the side menu to return to Scan Activity.

  5. Once the scan is complete you can select it to access PCI results.

    WAS

  1. From the Scan Activity page, select New scan and fill in the scan details.

  2. Select PCI Assessment from the Workflow options and use the Scan Targets fields to add a scope to your scan with the required web app(s).

  3. Select Create and run when finished to start or schedule the scan.

  4. Use the side menu to return to Scan Activity.

  5. Once the scan is complete you can select it to access PCI results.

Notifications

Fortra VM has preset notifications to alert you to changes in your PCI workflow. If you select your username from the header bar you can select My Profile to find the Notifications tab to make customized selections.

PCI Dispute notifications

  • Disputed vulnerability digest
    Sends a daily email with all changes happened to workflow (e.g.,changes, comments, disputes, approvals, and rejections). Default is set to OFF, select the toggle to enable this notification by switching it to the ON position.

  • Disputed vulnerability status
    An individual alert email sent for any change to workflow made by analyst. The default is set to ON, but can be turned OFF by selecting the toggle to disable the notification.

PCI Scan Results

Vulnerabilities

View the results of a PCI compliance scan by selecting completed scan and selecting the PCI tab.

IMPORTANT: The PCI tab will only be accessible with an active PCI ASV dispute administration permission on your user account and a completed PCI assessment from a PCI Scan.

All vulnerability results will be listed and designated with a green PASS or red FAIL badge. All failing vulnerabilities must be resolved and rescanned to show a PASS status for compliance.

  • A right-click on each vuln provides options for filtering and addressing vulnerability disputes.

  • A left-click expands the vulnerability to show comments and notes from your PCI Analyst.

Run your PCI scan again, once all failed vulnerabilities have been addressed, to fulfill PCI requirements for a compliant result.

NOTE: Potential vulnerabilities are required to be reported for PCI compliance. Per the ASV Program Guide, v4.0r2, potential vulnerabilities must be scored the same as confirmed vulnerabilities and must have the same effects on compliance determination. When Fortra VM detects the host's operating system or software version, all vulnerabilities associated with that OS or software version will be listed. This may lead to false positives. If this is the case, a dispute should be entered with evidence that the potential vulnerability does not exist on that host. Potential vulnerabilities can be identified by a ? icon and by filtering for "Vuln: detect class is potential". See Include potential CVCs for more details.

Dispute failed vulnerabilities

The PCI scan may show vulnerability findings you would like to dispute. All requested vulnerability disputes are required to be documented as Exceptions, False Positives, or Compensating Controls.

  • Exception

    There are four exceptions provided to the NVD scoring guidance described in Section 6.3.2, Component Compliance Determination, and these are the only exceptions that qualify to supersede CVSS scores. Examples of qualifying exceptions include incorrect or inconclusive findings due to scan interference, or if the CVSS base score is disputed. Supporting evidence must be submitted to prove there is not a risk to Cardholder Data environment.

    See " Appendx B: ASV Scan Report Summary" of the ASV Program Guide for further details.

  • Compensating control

    If a vulnerability cannot be remediated due to business or technical constraints, but can the risk can be mitigated through other measures, a compensating control may be considered.

    See "7.8 Addressing Vulnerabilities with Compensating Controls" of the ASV Program Guide for further details.

  • False positive

    If a reported vulnerability does not apply to the host with sufficient evidence, a dispute may be submitted for the PCI analyst to review and confirm the occurrence of a false positive.

    See "7.7 Managing False Positives and Other Disputes" of the ASV Program Guide for examples of written evidence which can be submitted to dispute a false positive.

In these situations, you can file a dispute on the Scan Activity page.

IMPORTANT: Requires a PCI assessment from a PCI scan.

Fortra VM vulnerability dispute process:

  1. Open Scan Activity and left-click to open the PCI scan in question. Once the scan results open, select the PCI tab.

  2. Address each vuln listed as a FAIL, failing vulnerabilities are sorted to display the top of the list.

    If a vulnerability listed will not be remediated an explanation must be filed with your Fortra PCI analyst.

  3. Select the checkbox for a failing vulnerability and select Dispute vulnerability at the top of the scan results to open the Dispute Vulnerability form.

  4. Complete the dispute by selecting the appropriate type of dispute and use the comment field to provide an explanation of the dispute for the analyst to review.

    After all fields are complete, submit the form by selecting the Dispute button.

  5. The vulnerability will be flagged with a yellow DISPUTE PENDING icon while it is under review.

  6. As the analyst completes their review comments and questions will be posted to the vulnerability which you can respond to you and upload supporting files as needed. The analyst can approve the dispute and move the vulnerability from FAIL to PASS.

  7. Review dispute status in the PCI Disputes section of the Scans menu.

    The PCI Disputes Management page will show a consolidation of all disputed vulnerabilities from both Fortra VM and WAS, no matter which product is currently engaged in Fortra VM.

    Click on each vulnerability to see analyst inquiries and add additional information to the dispute.

    Web app scan results - PCI tab

  8. Once a dispute is approved by your analyst the vulnerability status will update on the scan results.

WAS vulnerability dispute process

  1. Open Scan Activity and left-click to open the PCI web app scan in question. Once the scan results open, select the PCI tab.

  2. Address each vuln listed as a FAIL, failing vulnerabilities are sorted to display the top of the list.

    If a vulnerability listed will not be remediated an explanation must be filed with your Fortra PCI analyst.

  3. Select the checkbox for a failing vulnerability and select Dispute vuln at the top of the scan results to open the Dispute Vulnerability form.

  4. Complete the dispute by selecting the appropriate type of dispute and use the comment field to provide an explanation of the dispute for the analyst to review.

    After all fields are complete, submit the form by selecting the Dispute button.

  5. The vulnerability will be flagged with a yellow DISPUTE PENDING icon while it is under review.

  6. As the analyst completes their review comments and questions will be posted to the vulnerability which you can respond to you and upload supporting files as needed. The analyst can approve the dispute and move the vulnerability from FAIL to PASS.

  7. Review dispute status in the PCI Disputes section of the Scans menu.

    The PCI Disputes Management page will show a consolidation of all disputed vulnerabilities from both Fortra VM and WAS, no matter which product is currently engaged in Fortra VM.

    Click on each vulnerability to see analyst inquiries and add additional information to the dispute.

  8. Once a dispute is approved by your analyst the vulnerability status will update on the scan results.

The analyst may reject a dispute if it does not sufficiently fulfill the requirements. If rejected, the vulnerability will retain FAIL status. You may resubmit the dispute with additional information for the analyst.

IMPORTANT: Each dispute only lasts 90 days, expired disputes will display with a yellow flag that reads "Expired" next to the vulnerability name. There is an option on the dispute form to "Redispute using last submission", select True to easily submit the same information from the expired dispute.

Addition of a special note (3b)

TIP: See the "7.2 Special Notes to Scan Customer" of the ASV Program Guide for specifications.

These are notes designated as "Special Note to Scan Customer" and are required to be disclosed when the presence of certain software or configurations are detected that may pose a risk to the your environment, rather than an exploitable vulnerability.

This special note (3b) must include:

  • Evidence of the removal of the caustic software.

    OR

  • A declaration of the need of the software for business.

If the software is required for business operations, include information stating the business need for the software, evidence of software's implementation of security controls, and supporting actions to secure software with details of controls.

Your PCI analyst will validate the relevance of any special note declaration, before a passing scan report can be issued.

To submit a special note (3b): 

  1. Open Scan Activity and left-click to open the PCI scan in question. Once the scan results open, select the PCI tab.

  2. Select the vulnerability from the list that constitutes a "Special Notes to Scan Customer" (3b).

  3. Use the right-click menu or the Dispute button to add the required details.

Notifications

Fortra VM has preset notifications to alert you to changes in your PCI work-flow. If you select your user name from the header bar you can select My Profile to find the Notifications tab to make customized selections.

PCI dispute notifications

  • Disputed vulnerability digest
    Sends a daily email with all changes happened to work-flow (e.g., changes, comments, disputes, approvals, and rejections). Default is set to OFF, select the toggle to enable this notification by switching it to the ON position.

  • Disputed vulnerability status
    An individual alert email sent for any change to work-flow made by analyst. The default is set to ON, but can be turned OFF by selecting the toggle to disable the notification.

PCI compliance report

To create a PCI report select the + New button from the header and select Report.

  1. In the Report type options, select Scan Group if a a scan group was used and select Multi-scans if separate scans were created.

  2. Designate the appropriate year and quarter.

  3. Add each relevant scan from the Scan(s) Source drop-down. Scans from WAS and Fortra VM can be added to the same report.

  4. From the Report template options, select PCI Compliance Report.

  5. Select any other desired options, and Run report.

A box will display for Additional PCI Details Required.

  • Fill out the Contact information fields

  • See scan Scope

    Check the box to attest to the validity of the scope (required)

  • Out-of-Scope items can be declared in the designated field

  • Declare Load balancers, if employed

  • Review the Official Certification for warnings and important information

  • Select Send to certification workflow

The Official Certifications warnings will detail all the reasons why this PCI Compliance Report will not be considered passing (e.g. failing vulnerabilities, missing domains). You can generate as many compliance reports you want, but to generate the official report including the certification stamp it must be sent to the certification workflow.

Other PCI reports: 

  • PCI Documentation Requirements Report

  • PCI Required Remediation Report

  • PCI Required Remediation CSV Export

  • PCI Vulnerabilities CSV Export

Complete PCI documentation

After you address all PCI vulnerabilities, you need to prepare required PCI compliance documentation and submit it.

To complete final PCI compliance documentation: 

  1. Prepare final PCI Compliance scan reports.

  2. Prepare Self-Assessment Questionnaire (SAQ) and Attestation of Compliance.

  3. Submit final PCI scan reports, SAQ, and Attestation of Compliance.

Prepare final PCI scan reports

When your PCI scan results are compliant, you can generate your final reports for submission to an acquirer. The official PCI Compliance report must be submitted through the PCI workflow and is labeled with stamp.