You run PCI scan reports to analyze vulnerability scan results and report on PCI internal scan data. You can analyze trends in vulnerabilities detected, sort and filter scan data, generate graphical reports, and create executive reports that provide views on your compliance with the PCI DSS for internal scans.
Go to VM/VMDR > Reports > Templates. Find a PCI scan template and click Run from the Quick Actions menu. The details included in your report depend on the options selected in the report template and the options selected at run time.
Why don't I see this template?
It's available only when the PCI compliance feature is enabled for your subscription.
According to PCI DSS requirement 6.1, merchants are required to fix all High ranking vulnerabilities according to a risk ranking scale for High, Medium and Low. This scale can be customized using the report template.
PCI compliance status PASS or FAIL only appears when the template uses the service-provided PCI risk ranking. The vulnerabilities with the FAIL status must be fixed to pass the PCI compliance requirements.
Tell me about the reasons
How do I view reasons in my report?
The CVSS scoring feature must be turned on for your subscription. Go to VM/VMDR > Reports > Setup > CVSS to turn on this feature. Also your PCI scan template must use the service-provided PCI risk ranking.
Tell me about vulnerabilities without a PCI status
The vulnerabilities that do not show a PCI status are vulnerabilities that the PCI compliance service found on the hosts. Although these vulnerabilities are not in scope for PCI, we do recommend that you fix them in severity order.
You choose the report target when you run the report. Then the hosts in your target that have scan data will be included. A host with scan data is a host that meets all of these conditions:
- The host was a target of a vulnerability scan.
- The host was found to be active (alive) during the scan.
- The host scan completed successfully and the scanning engine returned scan data (results).
- Scan data for the host was found in your account during report generation (host was not purged after being scanned). The scan data found in your account may indicate vulnerabilities were detected or no vulnerabilities were detected.
Any host found to be active (alive) during the scan is counted.
Any host matching the filters defined in the report template is counted.