Review Your Out of Scope Assets

Go to Account > IP Assets and then click the Out of Scope Assets button.

The Out of Scope Assets page lists all IP addresses that are currently considered out of scope. Out of scope assets include IP addresses that were previously in-scope but removed from the subscription, and IP addresses that were discovered by the service as part of your in-scope infrastructure.

Please refer to the PCI Council's Program Guide section "ASV Scan Scope Definition" for clarification on the PCI DSS requirements for the merchant (scan customer) and the ASV (PCI service).

Summary

The Summary section shows the total number of out of scope IP addresses counted for your account. This number also appears in your PCI report in the section "Attestation of Scan Compliance" under "Number of components found by ASV but not scanned because scan customer confirmed components were out of scope".

Out of Scope Assets

Total Unique IPs - The total number of unique IPs counted as out of scope. Click the category names below to see the IPs identified as out of scope in that category. Note that a single IP may be identified in multiple categories.

Domains Resolved to IPs - When you add a domain to the subscription using the System Components Wizard, the service performs a DNS forward lookup of common hostnames - like www, ftp, imap, smtp, pop - and performs an MX record lookup of the domain to identify IPs that are not in your account. You're given the option to add the resolved IPs to your account. If you chose not to add the IPs to your account then they are counted as out of scope. If you added the IPs to your account but they have not been scanned in the last 30 days then they are also counted as out of scope.

External Links Resolved to IPs - If external links are discovered during the web crawling stage of a PCI network scan, then the QID 150010 "External Links Discovered" is returned in your scan results. The service performs a DNS lookup of the external links to resolve them to IP addresses. If the resolved IPs are not in your account then they are counted as out of scope. If the resolved IPs are in your account but have not been scanned in the last 30 days then they are also counted as out of scope.