PCI Compliance Release 1.6.5 API
November 14, 2025
Before understanding the API release highlights, learn more about the API server URL to be used in your API requests by referring to the Know Your Qualys API Server URL section. For these API Release Notes, <qualys_base_url> is mentioned in the sample API requests.
Enhancements for PCI Compliance — TAS Integration
With this release of PCI Merchant APIs, we have added support for PCI Compliance — TAS integration. The integration provides support to generate a PCI compliance report with attestation for TAS scans.
The integration has enhanced web application compliance coverage by providing support for scanning large web applications requiring authentication and generating a compliance report for them.
Refer to the PCI Compliance Release 6.1 to learn more about this new feature.
Scan List API: Fetch the List of Compliance Scans
| New or Updated API | Updated |
| API Endpoint | /pci/scan/list |
| API Version | LATEST - V1 |
| Method | GET |
| DTD or XSD changes | No |
We have updated the Scan List API to display the details about the scan module for each scan. The Scan List API now shows the source of a scan in the API response with the scanModule parameter.
This enhancement is in line with the PCI Compliance — TAS Integration to display the TAS/WAS as the scanning application for the scan in consideration.
Sample: Fetch the List of ScansSample: Fetch the List of Scans
The following sample illustrates using the Scan List API to fetch the list of compliance scans.
API Request
curl -H "X-Requested-With: test"-u "USERNAME:PASSWD"
-X GET -H "content-type: application/json"
-H "apiVersion: V1"
"https://pci-api.qualys.com/pci/scan/list?sortBy=title&offset=1&limit=10"
API Response
{
"responseApiVersion": "V1",
"data": {
"totalCount": 180,
"fetchRange": "1-5",
"scanInfoList": [
{
"scanId": 14186,
"title": "to removal of ip test",
"status": "Launch Requested",
"date": "September 12, 2025 at 09:30 AM GMT",
"scanType": "IP",
"compliance": "Fail",
"scanModule": "WAS"
},
{
"scanId": 13994,
"title": "WAS Scan 6",
"status": "Finished",
"date": "September 02, 2025 at 11:14 AM GMT",
"scanType": "IP",
"compliance": "Fail",
"scanModule": "WAS"
},
{
"scanId": 13993,
"title": "WAS Scan 5",
"status": "Finished",
"date": "September 02, 2025 at 09:52 AM GMT",
"scanType": "IP",
"compliance": "Fail",
"scanModule": "WAS"
},
{
"scanId": 11014,
"title": "Test CURRENT_IP_PTR 3",
"status": "Launch Requested",
"date": "August 25, 2025 at 07:19 AM GMT",
"scanType": "IP",
"compliance": "Fail",
"scanModule": "PCI"
},
{
"scanId": 11013,
"title": "Test CURRENT_IP_PTR 2",
"status": "Finished",
"date": "August 25, 2025 at 05:22 AM GMT",
"scanType": "IP",
"compliance": "Pass",
"scanModule": "PCI"
}
]
}
}
Get Scan Details API: Fetch the Details of a Scan with Scan ID
| New or Updated API | Updated |
| API Endpoint | /pci/scan/{scanId}/details |
| API Version | LATEST - V1 |
| Method | GET |
| DTD or XSD changes | No |
We have updated the Scan Details API to display the details about a specific scan. The Scan Details API now shows the source of a scan in the API response with the scanModule parameter.
This enhancement is in line with the PCI Compliance — TAS Integration to display the TAS/WAS as the scanning application for the scan in consideration.
Sample: Fetch the Details of a Scan Completed in TAS/WASSample: Fetch the Details of a Scan Completed in TAS/WAS
The following sample illustrates using Scan Details API to fetch the details of a scan using it's scan ID.
API Request
curl -H "X-Requested-With: test" -u "USERNAME:PASSWD"
-X GET -H "content-type: application/json"
-H "apiVersion: V1"
"https://pci-api.qualys.com/pci/scan/2185043/details"
API Response
{
"responseApiVersion": "V1",
"data": {
"title": "to removal of ip test",
"startedOn": "September 12, 2025 at 09:30 AM GMT",
"launchedBy": "UI Test Merchant",
"duration": "00:00:00",
"activeHosts": 0,
"launchType": "On Demand",
"bandwidth": "Medium",
"scanStatus": "Launch Requested",
"target": "5.36.2.56",
"scanType": "IP",
"compliance": "Fail",
"scanModule": "WAS",
"scanProgress": {
"totalIpsScanned": 0,
"totalHosts": 0,
"hostDiscoveryRunningOn": "-",
"scanRunningOn": "-",
"lastUpdated": "-"
}
}
}
Vulnerability List API: Fetch the Vulnerabilities Detected in TAS/WAS Scan
| New or Updated API | Updated |
| API Endpoint | /pci/vuln/list |
| API Version | LATEST - V1 |
| Method | GET |
| DTD or XSD changes | No |
We have updated the Vulnerability List API to display the list of vulnerabilities detected during a scan. The Vulnerability List API now shows the list of vulnerabilities detected in the TAS/WAS scan.
We have also added support to sort the vulnerabilities based on their scan module by adding a new sorting criterion, sortBy=scanModule.
This enhancement is in line with the PCI Compliance — TAS Integration to display the TAS/WAS as the scanning application for the scan in consideration.
This sample illustrates using the Vulnerabilities List API to fetch the vulnerabilities detected during the TAS/WAS Scan.
API Request
curl -H "X-Requested-With: test"
-u "USERNAME:PASSWD"
-X GET -H "content-type: application/json"
-H "apiVersion:V1"
"https://pci-api.qualys.com/pci/vuln/list?limit=10&sortOrder=desc&sortBy=severity&
offset=1& limit=10&severity=CONFIRMED_MED,POTENTIAL_MED,POTENTIAL_HIGH&pciFailVulns=true";
API Response
{
"responseApiVersion": "V1",
"data": {
"totalCount": 2863,
"fetchRange": "1-3",
"merchantVulnList": [
{
"id": 1361081,
"qid": 82003,
"title": "ICMP Timestamp Request",
"pciCompliant": "Pass",
"severity": "Confirmed Low",
"ip": "11.11.11.11",
"dns": null,
"dateLastScanned": "08/21/2025",
"fpStatus": "NA",
"scanModule": "WAS"
},
{
"id": 1361125,
"qid": 82003,
"title": "ICMP Timestamp Request",
"pciCompliant": "Pass",
"severity": "Confirmed Low",
"ip": "87.87.1.6",
"dns": null,
"dateLastScanned": "09/02/2025",
"fpStatus": "NA",
"scanModule": "WAS"
},
{
"id": 1361121,
"qid": 82003,
"title": "ICMP Timestamp Request",
"pciCompliant": "Pass",
"severity": "Confirmed Low",
"ip": "87.87.1.1",
"dns": null,
"dateLastScanned": "09/02/2025",
"fpStatus": "NA",
"scanModule": "WAS"
}
]
}
}
Vulnerability Details API: Fetch the Details of Vulnerability using Vulnerability ID
| New or Updated API | Updated |
| API Endpoint | /pci/vuln/{id}/details |
| API Version | LATEST - V1 |
| Method | GET |
| DTD or XSD changes | No |
We have updated the Vulnerability Details API to show the details of vulnerabilities detected during the TAS/WAS scan. In the API response, we have added a response parameter, scanModule, to show the source of vulnerability detection.
This enhancement is in line with the PCI Compliance — TAS Integration to display the TAS/WAS as the scanning application for the scan in consideration.
Sample: Fetch the details of a vulnerability using the Vulnerability IDSample: Fetch the details of a vulnerability using the Vulnerability ID
The following sample illustartes fetching vulnerability details using vulnerability ID.
API Request
curl -H "X-Requested-With: test"-u "USERNAME:PASSWD"
-X GET -H "content-type: application/json"
-H "apiVersion: V1"
"https://pci-api.qualys.com/pci/vuln/636136/details"
API Response
{
"responseApiVersion": "LATEST - V1",
"data": {
"title": "jQuery Cross-Site Scripting Vulnerability",
"ip": "11.11.11.11",
"dns": null,
"qid": 13772,
"severity": "Potential Low",
"cvssBase": "null",
"cvssTemporal": "null",
"pciCompliant": "Fail",
"category": "CGI",
"port": "8000",
"service": "CGI",
"protocol": "tcp",
"fpStatus": "Rejected",
"bugTraqList": [],
"cveList": [
{
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023",
"urlText": "CVE-2020-11023"
},
{
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023",
"urlText": "CVE-2020-11023"
}
],
"vendorReferenceList": [
{
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"urlText": "Jquery"
},
{
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"urlText": "Jquery"
}
],
"dateLastUpdate": "May 31, 2023 at 12:00 AM GMT",
"threat": "JQuery is prone to a cross-site-scripting vulnerability because it fails to sufficiently sanitize user-supplied input.<P>
\n\nAffected Versions: <BR>
\njQuery versions greater than or equal to 1.0.3 and before 3.5.0.\n\n<P>
QID Detection Logic(Unauthenticated): <BR>
\nIt checks for vulnerable versions of jQuery from default web page.<P>
",
"impact": "An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.",
"solution": "Vendor has advised to Upgrade jquery to version 3.5.0",
"patch": "<P>
<A HREF=\"https://jquery.com/download/\"
TARGET=\"_blank\">jQuery</A>",
"result": "begin 0 uuencode.buf\r\nl:E%U97)Y(%9E<G-I;VX@4')I;W(@=&
\\@,RXU+C @1&5T96-T960N:G%U97)Y+S(N,\"XS+VIQ=65R\r\n/>
2YM:6XN:G,B/CP \r\n\nend",
"scanModule": "WAS"
}
}
False Positive List API: Fetch the List of False Positives
| New or Updated API | Updated |
| API Endpoint | /pci/falsePositive/list |
| API Version | LATEST - V1 |
| Method | GET |
| DTD or XSD changes | No |
We have updated the False Positive List API to display the application name for the detected false positives. Now, you can see the scanModule parameter in the API response indicating the source of false positive.
This enhancement is in line with the PCI Compliance — TAS Integration to display the TAS/WAS as the scanning application for the scan in consideration.
Sample: Fetch the list of false positives for a merchant userSample: Fetch the list of false positives for a merchant user
The following sample illustrates using the False Positive List API to fetch the list of false positives for a merchant user.
API Request
curl -H "X-Requested-With: test"
-u "USERNAME:PASSWD"
-X GET -H "content-type: application/json"
-H "apiVersion: V1"
"https://pci-api.qualys.com/pci/falsePositive/list?ip=10.10.25.71&
dns=com-sol9-25-71.vuln.qa.qualys.com&title=Possible Scan
&qid=42432&status=Approved
&expireInDays=60
&sortBy=ip&sortOrder=DESC&limit=100&offset=1
API Response
{
"responseApiVersion": "LATEST - V1",
"data": {
"totalCount": 56,
"fetchRange": "1-2",
"fphistoryList": [
{
"id": 895,
"qid": 13772,
"title": "jQuery Cross-Site Scripting Vulnerability",
"ip": "87.87.1.1",
"dns": null,
"status": "Requested",
"requestedDate": "10/01/2025",
"reviewDate": "NA",
"expiryDate": "NA",
"scanModule": "WAS"
},
{
"id": 884,
"qid": 13772,
"title": "jQuery Cross-Site Scripting Vulnerability",
"ip": "87.87.1.6",
"dns": null,
"status": "Approved",
"requestedDate": "09/02/2025",
"reviewDate": "09/02/2025",
"expiryDate": "12/01/2025",
"scanModule": "PCI"
}
]
}
}
False Positive Details API: Fetch the False Positive Details with False Positive ID
| New or Updated API | Updated |
| API Endpoint | /pci/falsePositive/{fpId}/details |
| API Version | LATEST - V1 |
| Method | GET |
| DTD or XSD changes | No |
We have updated the False Positives Details API to display the TAS/WAS as the scanning module for the detected false positive. The false positive scan module is displayed with a new response parameter, scanModule.
This enhancement is in line with the PCI Compliance — TAS Integration to display the TAS/WAS as the scanning application for the scan in consideration.
Sample: Fetch the details of False Positives using False Positive IDSample: Fetch the details of False Positives using False Positive ID
This sample illustartes using False Positive Details API to fetch the details of false positives using false positive ID.
API Request
curl -H "X-Requested-With: test"
-u "USERNAME:PASSWD"
-X GET -H "content-type: application/json"
-H "apiVersion: V1"
"https://pci-api.qualys.com/pci/falsePositive/43854/details"
API Response
{
"responseApiVersion": "LATEST - V1",
"data": {
"qid": "13772",
"title": "jQuery Cross-Site Scripting Vulnerability",
"ip": "87.87.1.1",
"dns": null,
"status": "Requested",
"scanTitle": "Test CURRENT_IP_PTR 4",
"scanDate": "08/21/2025",
"scanModule": "WAS",
"port": "8000",
"service": "CGI",
"protocol": "tcp",
"severity": "Potential Low",
"fpCommentHistory": [
{
"author": "Manoj Jaisinghani",
"date": "10/01/2025",
"comment": "This is a false positive on WAS scan qid"
}
]
}
}