PCI Compliance Release 6.1

November 13, 2025

With this release of PCI Compliance, we are introducing the following new features and enhancements.

PCI Compliance — TAS Integration

We have integrated the PCI Compliance and TotalAppSec (TAS). The integration provides support to generate a PCI  compliance report with attestation for TAS scans.

The integration has enhanced web application compliance coverage by providing support for scanning large web applications requiring authentication and generating a compliance report for them.

The following subsections provide detailed information about PCI Compliance — TAS integration.

Prerequisites

You must meet the following requirements to use this feature:

  • Must have an active subscription for Qualys TAS and a PCI Merchant account.  
  • Must have TAS 1.24 or later versions.
  • Must have PCI Merchant users added to your Qualys Vulnerability Management (VM) account.
  • The TAS scans, which you want to share with PCI Compliance, must be complete. Only scans with the following statuses can be shared with PCI: Result Processed Successfully, Max Links Crawled, Time Limit Reached, Time Limit Exceeded, Service Error, and Canceled With Results.

Steps to Attest TAS Scan Reports

Perform the following steps to share TAS Scan reports with PCI Compliance for attestation.

Step-1: Share TAS Scans with  PCI Compliance

 The following steps outline how to share TAS scans with PCI Compliance.

  1.   In the TAS application user interface, navigate to Scans > Scan List.
  2. Locate the TAS scan that is completed.

           An option to share TAS Scan data with PCI Compliance.

    You can also use the Group By filter to search for completed Vulnerability scans.
  3.  Find the TAS scans that have either the IP Address or FQDN in the scan URL. Locate the required scan and click Share with PCI. The PCI List window is displayed.

    The Share with PCI option is available only for scans that have an IP address or FQDN in the scan URI.

  4. Select the PCI Merchant user with whom you want to share the TAS Scan data.

    Select PCI Merchant user to share the TAS Scan.

    The PCI Merchant user list in TAS is imported from the VM application. You can edit the list in PCI Admin or VM applications.

  5. Click Add to share the selected scan with the PCI Merchant user. 

    Success message for Shared TAS scan data.

Step-2: Submit Compliance Reports for Attestation

The following steps outline how to generate TAS scan reports and share them for attestation.

  1. From the module picker, click the PCI application. The PCI Setup window opens.

    Selecting PCI Compliance from Module picker.
  2. Select the user with whom you want to share the TAS Scan data and click Launch.

    Select PCI Merchant user to share the TAS Scan Data.

    In the PCI Setup window, you can also create the new users or add the existing users to share the TAS Scan data.
  3. In the PCI Compliance user interface, navigate to Network > Scan Results to see the scan shared from TAS to PCI.

    PCI UI scan result listing window showing scans shared from TAS/WAS.
  4. Download  the TAS scan result to see the scan details.
  5. To view the list of vulnerabilities discovered in PCI and TAS scans, navigate to Network > Vulnerabilities.

    If the same asset scanned in both the PCI and TAS/WAS scans, use the latest reported QIDs for False Positive submission.

  6. Navigate to the Compliance > Compliance Status tab.

  7. Open the Web App Targets section. It lists the Vulnerabilities, IP Addresses, and FQDNs shared with PCI.

  8. Click Generate Report. The Report Generation Wizard opens. You can see the asset details and add comments while generating the report.

    Generate Compliance Report.

  9. In the Report Generation Wizard, provide the required details.

  10. Click Generate Report. The compliance report, consisting of TAS scan data, is generated.

  11. Click Next to view and save the compliance reports. 

  12. Select the report type. The PCI Executive Report and the PCI Technical Report are downloaded. 

  13. Click Request Review Now to share the report for attestation with the Approved Scanning Vendor (ASV). You can also schedule the report review with the Request Review Later option.

  14. To view report status, navigate to Compliance > Submitted Reports tab. 

    View Compliance Report status.

Current Scope

The current scope of PCI Compliance — TAS integration has the following limitations.

  • The PCI Compliance — TAS integration is supported only for TAS Vulnerability scans, which have an IP address or FQDN in the scan URI. If the TAS scan URI contains domain names and other attributes, the option to share scan data with PCI is disabled.
  • The PCI Merchant users available for sharing the TAS scan data are imported from Vulnerability Management (VM). The PCI Merchant list can only be edited from VM or PCI Admin user applications.
  • Currently, the integration supports only the IPv4 assets. The support for IPv6 assets is not available.
  • Only the latest vulnerability scans can be shared with the PCI Compliance. The older scan data cannot be shared.
  • The vulnerabilities discovered by TAS and PCI scans are displayed separately in the PCI user interface. You may see duplicate records for the same assets with a distinct Qualys application tag.
  • If the same asset is scanned in both the PCI and TAS scans, the scan results are not merged; the PCI user interface and compliance report display the result from the latest scan only. 

 

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: January, 2026