PCI DSS Scanning in Invicti

Invicti users can conduct Payment Card Industry (PCI) DSS Scans to receive approved PCI DSS compliance reports for their public websites.

To generate an approved PCI DSS Report in Invicti Enterprise, you must first configure the scan to generate PCI DSS Scan information. If you are not allowed to start a PCI scan, please contact us at the Sales team over [email protected], so the team can change your product plan.

PCI DSS Scans are only available for Invicti Enterprise On-Demand users and for websites whose Agent Mode is set to Cloud.

You can configure Invicti Standard to perform a PCI DSS Scan, but its report does not constitute an official report. A normal scan in Invicti Enterprise and Invicti Standard presents only an unofficial PCI DSS Report. For further information on how to generate reports following scans, see PCI DSS Compliance Report. 

Prerequisite

Allowlisting Requirement

• Allowlist the following IP address to achieve full PCI coverage: http://38.123.140.0/24

Running a PCI Scan in Invicti Enterprise

When configuring a New Scan, you can enable Create PCI Scan to ensure that a PCI Scan is conducted in addition to your Invicti Enterprise scan.

This additional PCI Scan is related, but not identical, to your Enterprise Scan. Scan Options configured in Invicti Enterprise do not affect the PCI Scan and the two scans work independently of each other.

How to run a PCI DSS Scan in Invicti Enterprise

1. Log in to Invicti Enterprise.
2. From the main menu, select Scans > New Scan.
3. Select the PCI Scan tab while configuring the Scan Options.
4. Select the Create PCI Scan checkbox.

5. Configure the remaining settings as required.
6. Select Launch.

How to run a PCI DSS Group Scan in Invicti Enterprise

1. Log in to Invicti Enterprise.
2. From the main menu, select Scans > New Group Scan.
3. In the New Website Group Scan window, while configuring the Scan Options, enable the Enable PCI Scan checkbox.

4. Configure the remaining settings as required.
5. Select Launch.

PCI DSS Scan status management in Invicti Enterprise

Management of the PCI DSS Scan’s status is related to your Invicti Enterprise scan:

• If you select Pause on your ongoing Invicti Enterprise scan, then the PCI Scan will also pause.
• If you select Cancel on your Invicti Enterprise scan, then the PCI scan will also cancel.

Your Invicti Enterprise scan may finish before your PCI Scan is completed.

Viewing PCI DSS Scan Results in Invicti Enterprise

When your PCI Scan is complete, you view the Compliance result on the Report page.

How to view the PCI DSS Scan Results

1. Log in to Invicti Enterprise.
2. From the main menu, select Scans > Recent Scans.
3. Next to the relevant scans, select Report.
4. On the Scan Summary page, select the Export drop-down to download a report

This PCI Compliance report can come in three formats. This table lists and explains PCI Scan Results Reports.

For further information, see How to generate a PCI DSS Compliance Report in Invicti Enterprise.

Defining the PCI DSS scan policy in Invicti Standard

In Invicti Standard, you can define the Scan Policy so that a PCI Checks test is performed. This security test only scans for vulnerabilities with PCI classifications.

You can also download a PCI Compliance Report based on PCI classifications. This is a report that lists the vulnerabilities that are listed in PCI classification, along with their details.

For further information on how to download a PCI Compliance Report on Invicti Standard, see Report Templates.

How to define the PCI Scan Policy in Invicti Standard

1. Open Invicti Standard.
2. In the Home tab, select New. The Start a New Website or New Service Scan dialog is displayed.
3. In the Target Website or Web Service URL field, enter the URL of the website you want to scan.
4. In the Scan Policy drop-down, select PCI Checks.

5. Complete the other fields as required.
6. Select Start Scan.