Check Scanner IP Addresses
It is your responsibility to confirm that the PCI network scan of your entire in-scope infrastructure can be performed without interference from intrusion detection systems (IDSs) and intrusion prevention systems (IPSs). This is as per the PCI Council's Program Guide.
Only IPs that are accessible from the Internet are scanned by the service. The service automatically provides multiple scanners for external (perimeter) scanning, located at the Security Operations Center (SOC) that is hosting the PCI compliance service. Depending on your network, it may be necessary to add the scanner IPs to your list of trusted IPs, so the service can send probes to your in-scope system components.
The scanner IPs are:
64.39.96.0/20 (64.39.96.1-64.39.111.254)
139.87.112.0/23 (139.87.112.1-139.87.113.254)
IP Exclusion for Datacenter Migration
As part of the PCI Colocation data center migration, we recommend adding the IP subnet 69.67.179.0/24 to the allowlist to ensure an uninterrupted scanning experience. If you want to add specific IPs in the allowlist please check the following table.
| Service URL | Existing IPs in Allowlist | Additional IPs for Allowlist | Server Protocol |
|---|---|---|---|
| pci-api.qualys.com | 64.39.96.134 | 69.67.179.134 | HTTPS |
| pci.qualys.com | 64.39.96.244 | 69.67.179.244 | HTTPS |
For more information on datacenter migration, refer to Notice of Datacenter Migration of Qualys PCI Platform.