How-To “PCI” in the Enterprise

Document created by Leif Kremkow on Oct 16, 2015Last modified by Leif Kremkow on Nov 29, 2016
Version 6Show Document
  • View in full screen mode

This guide introduces a practical approach how to deal with PCI-DSS compliance requirements in the enterprise environment using Qualys PCI Compliance and Qualys Vulnerability Management.


Qualys Vulnerability Management is a service that gives you immediate, global visibility into where your IT systems might be vulnerable to the latest Internet threats and how to protect them.


Qualys PCI is an easy step-by-step tool to achieve compliance. Automate scans against all devices and web apps. Finally, submit your ASV compliance report and SAQ to your acquiring banks.


Qualys PCIQualys Vulnerability Management
Cloud service: no software to deploy or maintainYesYes
Multi-tenant and MultiuserYesYes
Role based access controlNoYes
Scan targetsexternal only, no Appliancesexternal and internal with Appliances
Breaking up the scan perimeterNo; scan/report on all assetsorganized by the users into Asset Groups and/or Tags
Scan configuration (“Option Profiles”)only PCI scanninguser configurable, including PCI
Reports (“Report Templates”)technical or executive ASV compliance onlyfull customization
ASV Compliance ReportYesNo
PCI-DSS Compliance for internal vulnerability managementNoYes
Ticketing system to manage change over timeNoYes

Electronic forms to complete Self-Assessment Questionnaires

(no longer available as of 2015, see also SAQ version 3.0)

Yes NoNo

Prioritized Approach to guide merchants to complete SAQ

(no longer available as of 2015, see also SAQ version 3.0)

Yes NoNo
Electronic submission of compliance reports to acquiring bankYesNo
Copy data from one service to anotherNoPCI Account Links
copy scan results of External scanners to Qualys PCI


Question: Can I run my vulnerability management program with the Qualys PCI Certification service?

Answer: Yes, but only with great difficulty and only for public IP addresses. The PCI service is tailored for PCI and is unable to allow for optimized use in an enterprise setting.


Question: Can I get my PCI ASV compliance report with only Qualys Vulnerability Management?

Answer: No. You can run vulnerability scans for PCI related vulnerabilities and produce PCI ASV like reports, but you cannot get the required compliance report for the acquiring bank.


Question: Can I get my PCI ASV compliance report for internal IPs?

Answer: No. Internal addresses are by definition not subject to PCI ASV Compliance reporting. It is not possible to take scan results obtained by a Scanner Appliance (virtual or physical) and make these available via PCI Account Links in the Qualys PCI account.


Pragmatic How-To


  • Use Vulnerability Management to regularly scan your complete perimeter. Use Qualys' external scanners for public targets and Appliances for internal targets.
  • Identify the perimeter that needs to be PCI-DSS compliant and also run a scan with the PCI Option Profile.
  • Configure a Remediation Policy in Vulnerability Management to create tickets for machines that have vulnerabilities that will make you fail your PCI ASV Compliance report.
  • Create sub-user accounts for staff that are tasked with changing the machines in the PCI perimeter to receive the Remediation Tickets for PCI failure issues.
  • Fix these issues as per of the regular changement processes, guided by the Remediation Tickets.
  • Meet PCI-DSS requirements for internal scanning with Vulnerability Scanning (see How to Satisfy the New PCI Internal Scanning Requirements).
  • Once a month push PCI Scan results to Qualys PCI Compliance (see Using QualysGuard PCI Integration).
  • Within PCI Compliance, produce ASV Compliance reports from scan results received from Qualys Vulnerability Management
  • Within PCI Compliance complete the SAQ as, or if, needed. (no longer available as of 2015, see also SAQ version 3.0)


Interaction Between Modules

Flow Chart.png