Meraki

Community

Vulnerability Scan

PCIQSA
Conversationalist
4 weeks ago
4 weeks ago

Vulnerability Scan

Hello,

 

One of our customers uses Cisco Meraki for its network infrastructure, and as part of the PCI DSS requirements, we need to perform authenticated vulnerability scans. We have tested several approaches to initiate authenticated scans through Qualys, but unfortunately, none of them have been successful so far.

 

Do you have any recommendations or guidance on how this could be achieved, or alternative approaches that would be acceptable in this context?

 

Thank you in advance.

 

Kind regards,

Labels:
0 Kudos
5 Replies 5
RWelch
Kind of a big deal
Kind of a big deal
4 weeks ago
4 weeks ago

A close alternative:

Meraki is certified as a PCI DSS Level 1 Service Provider (the most rigorous audit level). You can learn more about Meraki's own PCI DSS compliance at https://meraki.cisco.com/trust#pci 

PCI Compliance with Meraki 

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to RWelch
PCIQSA
Conversationalist
4 weeks ago
4 weeks ago

Hello,

 

Thank you for the information. We understand that Meraki is a PCI DSS L 1 SP and that Cisco performs authenticated vulnerability scans on the infrastructure it manages as part of its own compliance.

 

However, this requirement remains a shared responsibility. Cisco’s authenticated scans cover only Meraki’s internal infrastructure, whereas our customer is required to perform authenticated vulnerability scans on their own PCI-in-scope network components including the Meraki appliances deployed in their environment.

 

In other words, Cisco’s scans do not replace the customer’s obligation to perform authenticated scans on devices within their PCI scope. This is why we are looking to confirm how authenticated scanning can be achieved on the customer’s side for their Meraki-deployed network components.

 

Kind regards,

0 Kudos
In response to PCIQSA
RWelch
Kind of a big deal
Kind of a big deal
4 weeks ago
4 weeks ago

I'll be sure to check back on this post to see if you are able to find a solution outside of the PCI compliance, if one exists.

Best of luck and cheers!

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to PCIQSA
Mloraditch
Kind of a big deal
Kind of a big deal
4 weeks ago
4 weeks ago

My understanding is authenticated scans use valid credentials to scan, so they only way that would work is if your scanner supports it. The scanner developer would have to build something that either scrapes the dashboard or uses the API. It could have secondary functions that check local status pages via those creds. 

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
4 weeks ago
4 weeks ago

Can't you give the scanner the credentials for the local status page?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2026 Cisco Systems, Inc.