Get Started with Alert Logic PCI Scans

A PCI scan is a type of external scan used specifically for Payment Card Industry (PCI) compliance requirements. PCI scans offer a better assessment of web servers than the regular Alert Logic external scan. For more information, see the detailed Scanning best practices documentation.

PCI scanning best practices

When configuring your scans, use the following guidelines to create successful scans and scan results. For more in-depth best practices, see the detailed Scanning best practices documentation.

  • Scan monthly. PCI compliance requires quarterly reports, but Alert Logic recommends scheduling monthly scans for PCI compliance.
  • Scan only your PCI scope.
  • Reduce your PCI scope as much as possible.
  • Scan your servers, firewalls, and routers during off-peak times.
  • Do not scan during service windows.
  • Split up long scans into distinct PCI scopes.

Remember that PCI scanning produces a legal document that can affect your compliance standing. It is the responsibility of the customer to make sure the scope is correct.

Suggested PCI scan frequency

PCI compliance requires quarterly reports, but Alert Logic recommends scheduling monthly scans for PCI compliance.

Originating IP addresses

The following table contains the range of IP addresses owned by Alert Logic. Alert Logic scans originate from a subset of these IP addresses, so make sure that your firewalls allow scanning traffic.

IP/CIDR # of addresses Included addresses 512 — 1024 — 1024 —

Explore Alert Logic PCI scans

It is possible to explore PCI scans features through the Alert Logic console.

You can access most scan-related features from the Scans page in the Alert Logic console. All PCI scan information is on the PCI Compliance tab.

To access PCI scan information:

  1. In the Alert Logic console, click OVERVIEW, and then click Scans.
  2. Click the PCI Compliance tab.
  3. You can explore PCI scan features, as follows: 
    • Current Status: View your scan status.
    • Latest Reports: Manage completed scan results.
    • PCI Scan: Create and schedule new scans.
    • PCI Disputes: See your dispute status.

For more information on these tasks, see the detailed Manage PCI scans documentation.

Schedule a PCI scan

To schedule a PCI scan:

  1. Navigate to the PCI Compliance tab on the Scans page.
  2. Under PCI Scan, click Schedule New Scan.
  3. On the New PCI Scan page, enter the requested information.

    PCI DSS requires customers to supply FQDNs in addition to external-facing IP addresses and other unique entryways into applications for the entire in-scope infrastructure. This includes, but is not limited to:

    • Discrete IP addresses
    • IP address ranges
    • Domains for all web servers
    • Domains for mail servers
    • Domains used in name-based virtual hosting
    • Web-server URLs to directories that cannot be reached by crawling the website from the home page
    • Any other public-facing domains or domain aliases
  4. Click Save.

For more information on scheduling PCI scans, see the detailed Schedule a PCI scan documentation.

Download scan reports

To download a report after a scan has finished:

  1. Navigate to the PCI Compliance tab on the Scans page.
  2. Under Latest Reports, click a scan title. The PCI Scan Result page appears.
  3. The list of available reports is under the Report Downloads heading.
    • Executive Summary: Vulnerabilities by component showing compliance status for each host scanned.
    • Vulnerability Details: Report listing the details of each vulnerability. The report is available as a .csv file or a PDF. The .csv file includes less detail than the PDF, but the information is easy to view and analyze in a spreadsheet.
    • Attestation of scan compliance: Overall summary that shows whether the scan customer’s infrastructure received a passing status.
    • PCI ASV Feedback form: Use this form if you want to send feedback to PCI SSC regarding your scanning experience, your experience with Alert Logic, or any other aspects of PCI scans.

Dispute PCI scan results

To dispute a vulnerability, provide an explanation and supporting evidence for the disputed findings, and then submit the information for review by an Alert Logic ASV Security Engineer. After you submit your dispute request, the engineer, with whom you can communicate through the PCI dispute system, reviews the submitted evidence and makes a ruling. If the engineer has questions or needs more information, he or she will communicate with you through the PCI dispute system. For more information on how to submit your dispute using the Alert Logic PCI Dispute system, see the detailed PCI dispute instructions.

PCI scan help

If you need help with your PCI results, contact Alert Logic Technical Support at (877) 484-8383 in the US, or +44 (0) 203 011 5533 in the UK.

Related topics