RE: PCI DSS Compliance

["Lyal Collins" <lyal.collins () key2it com au>]

The PCI-DSS vulnerability scanning process 'should' identify (if present)
network and application issues if conducted in line with the scanning
accreditation requirements.  

As rightly pointed out, the vulnerability scanning process is only a part of
maintaining a secure environment - indeed its only 1 or 2 questions of the
190+ mandatory questions/requirements in the 12 sections of PCI-DSS.

Consequenctly, PCI has created at least 3 niche industries, compromised of
those perform accredited scanning, those the conduct accredited audits, and
those who provide and operate certify-able hosting and co-location services.
All 3 depend upon the others for commercial success, thanks to strategic
choices taken by the card schemes and banks.

Just my 2cents
Lyal




-----Original Message-----
From: Ademar Gonzalez [mailto:ademar.gonzalez () gmail com] 
Sent: Friday, 16 December 2005 5:41 AM
To: webappsec () securityfocus com
Subject: Re: PCI DSS Compliance


Thanks to everybody that answered, i appreciate it.

My comments, first I do not apreciate people/companies gaining security
intelligence on my network, less facilitating it for them. Whatever might
be there for a hacker to find/exploit is also there for the company doing
the scan.

Second, having your site certified adds nothing to the site security, in my
experience 100% of compromised sites i have deal with where due to
application level exploits.

I'm aware most of you disagree with me, but then my bussines is not to sell
this certifications :-)

Regards.

ademar