The September 1, 2010 deadline is here and the new PCI DSS scanning changes announced by PCI SSC earlier this year go into effect today. The new ASV program guide 1.0 includes considerable changes to the way ASV scans are performed. A lot of attention has been given to scoping, discovery, scoring and attestations. These are great improvements and bring about a lot of uniformity and accountability in the scanning process even though it does add a certain amount of extra work on the merchant and the ASV. Today we released QualysGuard PCI 5.0 to support the new requirements and help merchants easily navigate through the complexity these requirements bring about. All of us in engineering have been working on this release for the past few months, and we have put in considerable efforts to come up with a very cool UI to increase the interactivity and ease-of-use of the product, starting with the home page all the way to submitting the report for attestation. We are very excited about these new features and we hope you will like them as well. We welcome any feedback, so feel free respond to this post and ask questions or provide comments.
Let me summarize the new UI capabilities added to QualysGuard PCI 5.0 and discuss how these changes support the new ASV requirements for today’s deadline:
The new dashboard style homepage instantly presents a clear view of the current status of your network by showing whether you are passing or failing and what % of hosts are compliant. We also show counts of vulnerabilities under the new categorizations of High, Medium and Low. No matter how large your network, you can get this info without running any reports. The same applies to the SAQ dashboard, which shows how complete your questionnaire is, and how many YES/NO answers you have filled out. Also the new homepage is a great starting hub for all the important workflows like the asset wizard, SAQ wizard or starting a scan.
There are many new changes in the reports. New scoring criteria for vulnerabilities based on CVSS base score (High, Medium, Low). Reports now include clear information of passing/failing components as well as documenting false positives etc. In the application the main change is the interactivity of the reporting module with sliding panels for detailed information, as well as quick filters that help you search and sort on various criteria instantly. Navigation is very easy and pages are loaded without needing a full refresh of the screen. There is also a very useful graph of your current account summary highlighting the potentials and confirmed vulnerabilities. PCI council has made a clear statement now that ALL ASVs need to report potential vulnerabilities, which Qualys has always done from the beginning.
The new compliance report wizard walks you through every step of the process in an informative manner presenting the various tasks that need to be taken care of for the compliance report, including a way to fill out the mandatory merchant attestation. ‘Special Notes’ are required for certain type of software detected on the network. Merchants can provide a consolidated action plan for IPs that still fail compliance. The wizard will then walk you through the steps to attest the report and request a review of the report from the ASV. Given the extra steps I recommend merchants allow for an extra 3-5 days to get the review completed before they can download certified reports.
A new workflow has been added to walk merchants through the process of identifying IPs and domains that are in scope for PCI compliance. providing the URL of your payment application is important so we can scan it for various web application vulnerabilities like SQL injection and XSS. There is a new discovery process that tries to identify other ips based on common host-names like www, mail, smtp and MX record lookup to provide merchant with option to include them in their account. Steps have been included to attest to load balancer settings as well as provide info on configuring IPS/IDS to allow for Qualys scanner ips as this is a requirement from the council.
False Positives Reporting Workflows:
The new requirements states that all approved false positives must be revalidated by the ASVs on a quarterly basis. In order to help you identify these expired false positives, we introduced new workflows with an easy-to-use false positive request tracking interface to identify them and resubmit for approval every 90 days.
Seamless Integration with QualysGuard:
Another important change is that now customers using QualysGuard to perform PCI scanning can continue to do so in QualysGuard, but must use QualysGuard PCI to generate certified reports and submit for attestation. As part of this release, we have added seamless integration between the two products to facilitate this attestation process and allow customers to continue to use QualysGuard (Enterprise, Express or Consultant) for PCI scanning. For more information, see Using QualysGuard PCI integration.
As you can see, these are all considerable changes and we hope they will help all our customers, as well as our ASV partners, that use QualysGuard in their PCI practices to become more efficient in managing PCI compliance. I have attempted to make a quick video highlighting the new QG PCI 5.0 UI as best as an engineer can :-) Please give us your feedback!!