Generating PCI Compliance Reports
In JSA Vulnerability Manager, you can generate a compliance report for your PCI (payment card industry) assets. For example, generate a report for assets that store credit card or other sensitive financial information.
The compliance report demonstrates that you took all the security precautions necessary to protect your assets.
Run a PCI scan for the assets in your network that store or process PCI information.
For more information, see Creating a Scan Profile.
Update your asset compliance plans and software declarations.
Your compliance plan and software declarations are displayed in the special notes section of the executive summary.
For more information, see the PCI security standards for approved software vendors.
Create and run a PCI compliance report for the assets that you scanned.
Updating Your Asset Compliance Plans and Software Declarations
In JSA Vulnerability Manager, if you want to generate a PCI compliance report for your assets, you must complete your attestations for each asset.
Your attestation of compliance is displayed on your PCI compliance report.
Click the Assets tab.
In the navigation pane, click Asset Profiles.
On the Assets page, select the asset that you want to provide an attestation for.
On the toolbar, click Edit Asset.
In the Edit Asset Profile window, click the CVSS, Weight & Compliance pane.
Complete the following fields. Use the hover help if you need assistance:
Compliance Plan
Compliance Notes
Compliance Notes Declaration
Compliance Notes Description
Compliance Out Of Scope Reason
Click Save.
Creating a PCI Compliance Report
In JSA Vulnerability Manager, you can create and run a PCI compliance report.
The PCI compliance report demonstrates that your assets involved in PCI activities comply with security precautions that prevent outside attack.
Ensure that you ran a PCI compliance scan.
Click the Reports tab.
On the toolbar, select Actions >Create.
Click Weekly and then click Next.
Click the undivided report layout that is displayed on the upper left section of the report wizard and click Next.
Type a Report Title.
In the Chart Type list, select Vulnerability Compliance and type a Chart Title.
In the Scan Profile list, select the scan profile for the assets that you scanned.
Note:If no scan profile is displayed, you must create and run a PCI scan of the assets in your network that store or process PCI information.
In the Scan Result list, select the version of the scan profile that you want to use.
CAUTION:To provide evidence of your compliance, you must select the Latest option in the Scan Result list. You can also generate a compliance report by using a scan profile that was run at an earlier date.
In the Report Type list, select a report type.
If you select Executive Summary, Vulnerability Details, or a combination of both, the attestation is automatically attached to your PCI compliance report.
Complete the information in the Scan Customer Information and Approved Scanning Vendor Information panes.
Note:You must add a name in the Company field for both panes, as this information is displayed in the attestation section of the report.
Click Save Container Details and then click Next.
Use the Report Wizard to complete your PCI compliance report.
The report is displayed in the reports list and is automatically generated.
Some table columns in the resultant PDF document are not displayed when you create a PDF report with the following parameters:
Chart type - Vulnerabilities
Graph type - Table
Data to use - Current
Group by - Instance
The large number of table columns that cannot fit on a standard landscape US letter page causes this error to occur.
To avoid this issue, do not use PDF output for this type of report. View Vulnerabilities Reports that use Group by Instance in a spreadsheet or XML format. To export the report, select XLS or XML as the report format in the Report Wizard.