SecurityMetrics PCI Compliance

The most commonly asked customer questions about vulnerability scanning.

As you may expect, we get a lot of the same questions from customers about their vulnerability scanning. The following is a list of the most common questions we hear.

SecurityMetrics PCI Compliance
SEE ALSO: Picking Your Vulnerability Scanner: The Questions You should Ask

What are you scanning, and what are you scanning for?

We scan your external IP address or domain name. The scan identifies what ports are open and responding to public traffic. The scan then tests for weaknesses in your network.

How often will SecurityMetrics scan my network?

The scans run automatically every 90 days, or whenever a scan is manually initiated by you. Keep in mind, it’s a PCI DSS requirement that you run a new scan if your environment changes in any way.

SEE ALSO: 10 Qualities to Look For When Selecting an Approved Scanning Vendor

What should I do before running a vulnerability scan?

If you have an intrusion detection system or intrusion prevention system protecting your network, you may need to add our scanner's IP range to a white-list or exclusion-list for the scan to complete accurately.

What does the CVSS on my vulnerability scan test results mean?

The scores are pulled from an industry standard Common Vulnerability Scoring System (CVSS). As per PCI requirements a single score of 4 or greater results in a failed scan.

How long will it take for my vulnerability scan to complete?

There are many variables that determine how long a scan takes. Average scan completion time ranges between 3 and 4 hours. However, scans running for longer than 4 hours are not uncommon. If your scan has been running for more than 24 hours, please contact our Support Department at 801.705.5700 or

How do I manually start my own vulnerability scan?

You can start a scan on any IP you have set up on your account. In the Scan Overview tab, look at the target you want to scan, and click the Scan Now button.

How/When can I put the "SecurityMetrics PCI DSS Validated" logo on my site?

Only customers who are enrolled in a PCI compliance service may put the SecurityMetrics PCI DSS Validated logo on their website. Instructions are provided inside passing test results of each vulnerability scan.

If you have any additional questions about vulnerability scanning that weren’t answered in this blog post, feel free to contact our 24/7 support team at: 801.705.5700 or  (UK: +44 33 0808 0832)

Follow SecurityMetrics' blog