Nucleus allows MSSPs to generate PCI-compliant ASV reports directly from the Nucleus console. By utilizing Nucleus for management of the vulnerabilities, results, and evidence, the PCI reporting process can be exponentially improved. By integrating the PCI audit process into Nucleus workflows, you can start to think of PCI ASV audits as just generating a report as opposed to a big assessment event.
This article is intended to go through every aspect of the two PCI ASV reports, and explain how each component of Nucleus can be rolled into the PCI report. We will finally walk through how the workflow should look in Nucleus, and how that workflow minimizes repeat work from assessment to assessment, potentially saving hundreds of hours overtime.
Note: It is recommended that MSSPs use sub-org organizational structure, as opposed to projects when using Nucleus for PCI ASV assessments.
Types of PCI ASV Reports
Nucleus has the ability to generate two different PCI reports:
For more information on what is contained in each report, refer to their respective support pages.
The workflow for generating a PCI report is as follows:
Step 1 - Set up MSSP Info & Create Client to Assess
This step only needs to be done if you do not have the client's information yet set up in Nucleus.
1. Navigate to "Global Administration > Organizations"
2. Select your Organization by using the "Edit" button. You should see a star next to your Master Organization.
3. Enter in the following Details:
- Org Name: This is the name you want to show up in the PCI reports (Will also change your Org name in the Nucleus UI)
- Org Address: This is the address which will show up in the PCI reports under your ASV vendor information
- POC Information: These all show up in the PCI report, so it is recommended to fill out these fields.
- ASV Cert: This will populate in the PCI report as well (should only have to update this once a year)
These fields will all show up in the PCI report and can be used across all your ASV assessments, so one form to fill out for numerous assessments.
4. Click Save
5. Select the organization on which you would like to conduct the PCI assessment by clicking Edit.
Note: If you are creating a new client, you will have to click the "Add Organization" button, and then allocate some licenses to that client before uploading scans.
6. Fill out the organization's information as in step 3 above. This information will show up as the customer information and attestation in the PCI report.
Once you have created a client, you are ready to go!
Step 2 - Upload Scans and Organize Assets
1. Select a project you would like to use for the PCI assessment, or create a new one using the Add Project button on the "Global Dashboard"
2. Upload your vulnerability scans you would like to use for the assessment
3. Once those have finished, navigate to "Assets > All Assets" to see your list of all assets which showed up in the vulnerability scans
4. Use the checkboxes and the "Modify Assets > In Compliance Scope > No" Button to remove assets that are not in scope for the assessment from showing up in the report.
Note: These assets which have "No" as their attribute for "In Compliance Scope" will show up in the report as "Scanned but confirmed out of scope"
Additional Note: These attributes will carry forward in future scans, so when you upload the next PCI assessment scans, you will not have to do this step again.
Step 3 - Analyze Vulnerabilities
This step is the equivalent of going through a report in a Word document and making changes to the status of a vulnerability, making comments, etc. The benefit of doing it in Nucleus is that these comments carry forward. So if something is marked as a False Positive in Nucleus, it will carry forward and in the next PCI assessment you can review your False Positives, but the status and evidence will have carried forward, so less work in the next assessment!
1. Once you have removed all your out of scope assets, navigate to your vulnerability list to start managing the findings, and marking status changes. To do this, navigate to "Vulnerabilities > Active".
2. Here, you can do the following to your vulnerability list:
- Change the status of a finding on an asset:
- This is where you can mark findings as "False Positive", "Accepted Risk", "Mitigated via Compensating Control", etc.
- These status changes will show up in the PCI report, so if you mark a finding as a false positive, then it will show up in the PCI report as a scan finding, but marked as a false positive, for the full audit trail.
- Make comments on the findings:
- This is where the assessor makes their comments/reasoning as to why the status was changed. These comments will show up in the report alongside the status of the vulnerability so that you have the documentation as to the status of the finding.
- Attach evidence/screenshots
- Nucleus allows assessors to attach evidence to the finding so that they can prove the status change.
- Change the severity of a vulnerability
- This is where the assessor has the ability to customize the vulnerability based on the client's network/organization/analysis. These new severities will be reflected in the PCI report.
- Change the exploitability of a vulnerability
- Similar to severity, this vulnerability attribute shows up in the PCI report
Each of the above attributes are reflected in the PCI report, and they carry forward. When new scans are uploaded, these statuses and comments are remembered in Nucleus.
Step 4 - Add Special Notes, Custom Findings, & Callouts
This step allows ASVs to go in and add the special notes, custom callouts for specific assets, and to do that in a quick and efficient way. Nucleus provides a template library that an ASV can use across clients to add custom findings to a project. Nucleus comes pre-packaged with a template pack for PCI ASV Callouts, but users can add their own to show up in the report.
These findings will carry from one assessment to the next so the assessor will not have to add the same callouts to the same assets every time.
Note: Only specially designated PCI templates will show up in the PCI report, so adhoc custom findings are not supported for showing up in the PCI ASV reports.
To add special callouts for PCI to assets in Nucleus, do the following:
1. Navigate to "Finding Templates"
2. Select Import Template Library > PCI ASV Callouts
3. Add your own custom callouts using the Add Finding Template button.
4. IMPORTANT: To enable the custom finding template as a PCI template, you need to put PCI-Yes in the References field
5. Once you have all your custom callouts created, navigate into your project you are using for the PCI assessment.
6. Navigate to "Vulnerabilities > Active"
7. Click on Add Finding > From Template and follow the onscreen instructions, outlined below:
- Select a template: Select a PCI enabled template that you want to add to an asset from the list, and click Next
- Use the checkboxes to select the assets that are affected by this callout, and click Next
- Use the tabs on the left to navigate the assets and enter in the specific information for each asset, then click Save & Finish
Your custom callout should now show up in the active vulnerability list.
Optional: You can now manage it like it was any other finding. You can add additional comments, change statuses, upload evidence, etc.
Repeat Step 7 for as many custom callouts as you would like for this project/assessment. And you are all done! You have created your custom callouts/special notes which will show up in the PCI ASV reports.
Step 5 - Generate Report
Now comes the easy part. You have done all the work and you are ready to create the actual PCI report.
1. Go to "Reports > Reports List"
2. Select Create Report > PCI Technical Report or Create Report > PCI Executive Report
3. Type in a name of your choosing and select the asset groups you wish to include in the report (generally blank to include all assets in the project), and then click Get Report.
4. Wait a few seconds and then click the Download icon next to the report in the Reports List
That's it! Your PCI report will generate as a Word .docx file so you can make last-minute formatting changes if necessary.
Next Assessment/Getting Advanced:
During the next assessment, less work will need to be done. For a support document on how to start automating the processes around the PCI ASV assessment, refer to our Advanced PCI ASV report support page.