PCI Scanning Vendors WAS: RE: Payment Card Industry,(PCI) DSS Security Scan

["HALL, NATHANIEL D." <halln () OTC EDU>]

I have used Security Metrics also and I am not happy with them at all.
I have reviewed some of the logs that are created by their scans and
have figured out that they are using Nessus to do their scans.  Heck, I
can do that.  I have also had problems with false positives and a lack
of a useful description.  Simply saying "The system is running **INSERT
NEW SERVICE PACK VERSION**" is not enough to justify a Risk of 4.

That said, it is a good deal for the money.  It is fairly cheap for the
scanning and they take care of the reporting.  Fill out the
questionnaire and keep your scans up to date.  That is it.  I recommend,
however, that you use Security Metrics to supplement a more thorough
scanning service that does not do reporting and limits you to the number
of scans.

I personally recommend Fishnet Security.  They use the Qualys product to
do their scanning.  It isn't perfect either, but it has very good
reporting and gives good directions on how to fix the problem.

--
Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA
Network Security System Administrator
OTC Computer Networking
(417) 447-7535

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of J. Fowler
Sent: Thursday, July 17, 2008 10:04 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Payment Card Industry,(PCI) DSS Security Scan

We have used http://www.securitymetrics.com/ and have been happy.

Jay

Ellen Smout wrote:
> Hi All
>
> We need to write an RFQ for a PCI Approved Scanning Vendor for 
> quarterly external scans for compliance.  If you have done this or are

> in the process of doing this I wonder if you would be willing to share

> this info with us?  Please let me know.
>
> Thanks in advance,
>
> Ellen Smout