If your systems process, store, or transmit credit card holder data, you may be using Nexpose to comply with the Payment Card Industry (PCI) Security Standards Council Data Security Standards (DSS). The newest PCI internal audit scan template released as part of Nexpose 5.11.4 is designed to help you conduct your internal assessments as required in the DSS.

To learn more about PCI DSS 3.0, visit our resource page.

The following is an outline of a suggested process to use with Nexpose to help with your internal PCI scans. (For more information on how to use any of the features in Nexpose, see the Help or User's Guide.)

  1. As described in PCI DSS 3.0 section 6.1, you need to create a process to identify security vulnerabilities. To do so create one or more sites in Nexpose using the following configurations:
    1. Include the assets you need to scan for PCI compliance. (Generally these hosts will comprise your Cardholder Data environment or “CDE”).
    2. Use the PCI internal audit scan template.
    3. Specify credentials for the scan. (These credentials should have privileges to read the registry, file, and package management aspects of target systems).
  2. As indicated in the PCI Data Security Standard requirements 11.2.1 and 11.2.3, you need to create and examine reports to verify that you have scanned for and remediated vulnerabilities. You should also keep copies of these reports to prove your compliance with the PCI DSS.
    1. Create a new report as indicated in the Nexpose Help or User's Guide. You will most likely want to use the PCI Executive Summary and PCI Vulnerability Details reports. Follow this process for each of those templates. Specify the following settings:
      1. For the Scope of the report, specify the assets you are scanning for PCI.
      2. In the advanced settings, under Distribution, specify the e-mail sender address and the recipients of the report.
  3. Mitigate the vulnerabilities. The description of a vulnerability contains remediation steps.
  4. Re-scan to verify that your mitigations have successfully resolved the findings
    1. If compensating controls are used, it may be necessary to use exception handling to eliminate the associated findings. (It may not be possible for automated tools to detect your compensating control even if it is effective in mitigating associated risk.)
  5. Continue to scan and mitigate. You will need to scan internally quarterly until you have remediated all high-risk vulnerabilities, as defined in sections 6.1 and 11.2.1 of the PCI DSS. You will also need to scan after major changes, as defined in section 11.2.3. The acceptable timeframes for applying remediations are outlined in section 6.2.