Configure a PCI Scan Report Template

You use a PCI scan report template to report on PCI internal vulnerability scans. Template settings allow you to customize what information is included (scan results, hosts, vulnerabilities and services) and how much to display for your report.

How do I create a PCI scan report template?

What is PCI risk ranking?

Tell me about host based findings

How to customize the PCI risk ranking

Tell me about scan based findings

Tell me about report filters

How much information is displayed?

Flag services and ports as required or unauthorized

How do I share reports with other users?

Using the Scan by Hostname feature?


How do I create a PCI scan report template?

Go to VM/VMDR > Reports > Templates to view the report templates in your account. To create a new template, select New > PCI Scan Template. To edit an existing one hover over a PCI scan template and select Edit from the Quick Actions menu.

Tell me about host based findings

We recommend Host Based Findings since it encompasses the latest vulnerability data from all of your scans. Each time you create a report, we'll automatically collect vulnerability data that we've indexed per host in your account - we refer to this as host based findings. This option gives you the most comprehensive and up to date picture of your vulnerability status.

You can create reports with trending information when you've selected Host Based Findings. If you use the default we'll include vulnerability information for the last 2 detections. In other words we'll analyze the last two detections for each vulnerability on each host and compare the current vulnerability status (New, Fixed, Re-Opened, Active) to the last known vulnerability status. Do you want to analyze trends for a timeframe instead? Just choose a different timeframe (daily, weekly or monthly) and we'll analyze the vulnerability status for the timeframe selected.

Only include scan results from the specified timeframe

Tell me about scan based findings

Select Scan Based Findings to run a report based on saved scan results. This gives you a view of your risk at a particular moment in time (at the time of the scan). Each time you create a report with this setting, you must manually select saved scan results to include in the report. Vulnerability data and hosts included in your report are specific to the scans that you choose at run time.

How much information is displayed?

The Display tab allows you to select how much information to include in the report, in both the summary and detailed results sections. You can choose to include report graphics, add custom text to the report footer, determine how the detailed results should be sorted and how much detail to include for each vulnerability.

What is the text summary?

Tell me about the vulnerability details

Tell me about the custom footer

How do I share reports with other users?

Managers and Unit Mangers can grant users access to reports created from this template (when Report Share is enabled for your subscription). On the User Access tab, you can grant access to any user who wouldn't be distributed the report automatically, based on their account settings.

What is PCI risk ranking?

The PCI Council requires merchants to establish a process to identify and assign risk rankings for newly discovered security vulnerabilities. The service uses the risk rankings High, Medium and Low. By default these are set to the same CVSS scores as required for ASV external scans. By customizing the risk ranking scale within the PCI scan report template, you have the ability to create different reports on different sub-nets using a different risk ranking scale for each.

How to customize the PCI risk ranking

On the PCI Risk Ranking tab click the Custom PCI Risk Ranking button. Use the Customized Ranking sliders to set the risk rankings. Click and move the M slider to set the level for medium risk. Click and move the H slider to set the level for high risk. The slider setting indicates greater than or equal to the selected score. For example, if the H indicator is set to 7, this means a CVSS score 7.0 or greater will be considered High ranking.

A comment is required for customized ranking. You may, for example, provide a reason why the selected ranking is appropriate in your environment.

Click the "Add Search List Exception" button to add vulnerability exception using search lists. Select one or more vulnerability search lists and then select a risk ranking for each list from the Ranking menu. The ranking selected for a list will apply to all QIDs in that list.

A comment is required for each search list for which you define a custom ranking. You may, for example, provide a reason why the selected ranking is appropriate for that vulnerability search list in your environment.

A note about search list exceptions: If multiple search lists are selected and a QID is included in more than one of the lists, that QID receives the ranking selected for the last search list. In other words, if QID 1234 is included in search lists A, B and C, and search list C is the last of these to be added, then QID 1234 receives the ranking selected for search list C.

Tell me about report filters

On the Filter tab, you can customize the vulnerabilities included in the report (under Selecting Vulnerability Reporting) and filter the report by operating system, vulnerability status, or vulnerability category. Selected items are included in the report and cleared items are filtered out.

Flag services and ports as required or unauthorized

On the Services and Ports tab, it's possible to flag specific services and ports as either "required" or "unauthorized". When services and/or ports are marked as "required" or "unauthorized" and they are not detected, they will appear as vulnerabilities in the report by these QIDs: 38175 (Unauthorized Service Detected), 82043 (Unauthorized Open Port Detected), 38228 (Required Service Not Detected) and 82051 (Required Port Not Detected). The filters for the report template on the Filter tab must include these QIDs. Note if Custom is selected in the Selective Vulnerability Reporting section, you must add these QIDs (in search lists).

Requirements when using the Scan by Hostname feature

If you are using the Scan by Hostname feature and you want to report on hosts scanned by hostname, note the following requirements. In IPs/Ranges you must enter IPs/ranges that are resolved from the scanned DNS and NetBIOS hostnames. In Asset Groups you must enter asset groups which contain IP addresses that are resolved from the scanned DNS and NetBIOS hostnames.