Netcraft’s ASV Scanning Solution is designed to help you obtain a passing PCI scan. This page describes how the scanning solution works.
Note: If the last time you required PCI compliance was prior to September 2010, you will find that the process has changed significantly since that time.
The Process in Detail
Netcraft’s ASV Scanning Solution runs alongside the Audited by Netcraft service, using the same scanning engine. However, there are some required differences between standard scans and quarterly PCI scans. The full quarterly process fulfils the requirements of the PCI ASV program guide and is described below.
Standard scan reports cannot be used for PCI compliance.
Your standard scan reports will contain a link to our PCI compliance portal. To request a PCI compliance report, visit the compliance portal, and click the “Start new quarterly PCI process” button on the home page. This will inform Netcraft that you wish the process to begin. We recommend you request a report at least five days before you intend to submit a report to your payment brand or acquirer. You should also be prepared for a significant amount of electronic correspondence during this period.
Netcraft will contact you to obtain a list of all external facing IP addresses and domains, and to mark those which fall within your CDE. It is recommended that you employ segmentation to keep the number of components which require scanning to a minimum. You must also provide other important details such as the configuration of any load-balancers installed on your network and lists of other “unique entryways” into applications. At a minimum you must include:
- Domains for all web-servers, including host names used in name-based virtual hosting.
- Domains for all mail servers.
- URLs to hidden directories which are not accessible by crawling your websites.
We are happy to assist in generating this list, but it is ultimately your responsibility.
You must also ensure that all scanning is carried out without interference from IDS or IPS. If you use shared hosting, it is your responsibility to ensure that the hosting environment receives a passing score. Please see the Program Guide or contact your hosting provider for more information.
After you have provided this information, and prior to scanning, Netcraft will attempt to identify any discrepancies in the scoping information you provide. To identify such discrepancies, we will lookup the IP addresses of domain names you have provided, as well as perform DNS lookups for commonly used hostnames and MX records in your domain. We will also identify IPs reached via web redirects, and find other domains by crawling your sites. After consulting with you, and updating the scan range accordingly, we will then list any IP addresses found in this fashion on your compliance report (this will not affect your compliance, but inclusion of this data is mandatory).
If this causes the number of IPs to be scanned to increase beyond the level agreed in your scanning contract with Netcraft, then we will contact you to update the scanning contract and negotiate extra cost as required.
Once these preliminary steps have been completed, we will scan the specified addresses.
Netcraft’s scanning process is designed to cause a minimum of disruption. In particular, we will never attempt to exploit DoS vulnerabilities, buffer overflows or brute force attacks which result in accounts being locked. We will also attempt not to consume excessive bandwidth. Please contact us if you experience any problems which you believe are a result of security scanning.
During scanning it is important that scan traffic is not blocked by application firewalls or other active protection mechanisms.
There are some limited exceptions to this rule listed in the PCI ASV program guide but in general, failure to fully scan hosts due to blocking will result in a non-compliant report.
Note that we do not require special access to services which would not normally be internet-visible, but we must be able to scan without interference.
At this point, the results of your scan will be loaded into our PCI compliance portal and you will be able to submit “disputes”. This is to be used in cases where Netcraft is not able to detect whether a vulnerability has been patched or not; it is your responsibility to provide evidence in these cases to show that an issue has been patched. Evidence could include screenshots, sections of configuration files, lists of installed updates and patches or links to Linux distribution’s bug trackers. You may also dispute CVSS base scores, components designated as segmented from PCI scope, and vulnerabilities for which you have compensating controls in place (see the Program Guide for a full list). When submitting system-generated evidence you should include information on both how and when it was generated.
Typical evidence might include:
- The relevant output of
rpm -qa packageon a RHEL, CentOS or Fedora system
- The relevant output of
dpkg -l | grep packageon Debian, Ubuntu or derivatives
- The relevant output of
wmic qfeon Windows systems.
To submit disputes, click the relevant IP address in the supplied list, then:
- check the boxes next to the vulnerabilities you wish to dispute – you may select more than one, but please submit information about different patches or different compensating controls as separate disputes.
- pick a reason from the Report Type drop-down, then read the instructions which appear and enter some text in the Report Justification box. Please ensure you supply all of the required information. Including submitting extra evidence wherever possible.
Where possible, Netcraft will remotely validate such disputes or assess submitted evidence for relevance, accuracy and sufficient coverage (except for minor issues - with low CVSS scores - where checking is not required).
Your reports may contain “special notes”. These notes are generated when we detect the presence of certain software configurations or services. All special notes require a response, although they do not affect scan compliance. To respond to a special note, click the listed note. This will load a page containing the note’s text and allow you to enter a response. The response will then appear on your executive summary report.
Where vulnerabilities are real (listed as definite) and you make changes to fix them, Netcraft will perform rescans to confirm that changes that have been made and to check that no new vulnerabilities have been introduced. Please contact us to request these.
Once you have a passing scan (or if/when you decide that you want your final scan report even though it is not a pass), Netcraft will ask you to attest that the scan range is correct and includes all components which should be in scope according to the PCI DSS. You must also attest to several other clauses which are listed on the interface and in the Program Guide. You should ensure that the person at your organisation responsible for providing the attestation is happy with the processes you use to produce the information, in order to avoid delays in being able to give the attestation. Following attestation, Netcraft will provide you with your official final PCI reports.
You will receive three separate reports, including:
- An Attestation of Scan Compliance, summarising overall compliance status
- An Executive Summary, detailing vulnerabilities, “disputes” and “special notes” relating to each of the systems in your CDE
- A Detailed Report, listing vulnerabilities along with information on the systems on which they appear.
Before generating a complete “Attestation of Scan Compliance” both you and Netcraft must attest that the scan range is correct and that the relevant processes were followed. This “attestation” then forms a cover sheet for your submission.
If you require assistance or advice during any part of the above processes, please email firstname.lastname@example.org.