WebApp Sec mailing list archives
RE: PCI DSS Compliance
From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Fri, 16 Dec 2005 19:23:37 +1100
The PCI-DSS vulnerability scanning process 'should' identify (if present) network and application issues if conducted in line with the scanning accreditation requirements. As rightly pointed out, the vulnerability scanning process is only a part of maintaining a secure environment - indeed its only 1 or 2 questions of the 190+ mandatory questions/requirements in the 12 sections of PCI-DSS. Consequenctly, PCI has created at least 3 niche industries, compromised of those perform accredited scanning, those the conduct accredited audits, and those who provide and operate certify-able hosting and co-location services. All 3 depend upon the others for commercial success, thanks to strategic choices taken by the card schemes and banks. Just my 2cents Lyal -----Original Message----- From: Ademar Gonzalez [mailto:ademar.gonzalez () gmail com] Sent: Friday, 16 December 2005 5:41 AM To: webappsec () securityfocus com Subject: Re: PCI DSS Compliance Thanks to everybody that answered, i appreciate it. My comments, first I do not apreciate people/companies gaining security intelligence on my network, less facilitating it for them. Whatever might be there for a hacker to find/exploit is also there for the company doing the scan. Second, having your site certified adds nothing to the site security, in my experience 100% of compromised sites i have deal with where due to application level exploits. I'm aware most of you disagree with me, but then my bussines is not to sell this certifications :-) Regards. ademar
Current thread:
- Re: PCI DSS Compliance, (continued)
- Re: PCI DSS Compliance Richard Moore (Dec 15)
- Re: PCI DSS Compliance Roy Britten (Dec 16)
- RE: PCI DSS Compliance Michael Johnson (Dec 16)
- RE: PCI DSS Compliance Syed Mohamed A (Dec 16)
- Re: PCI DSS Compliance Pete Herzog (Dec 18)
- RE: PCI DSS Compliance Syed Mohamed A (Dec 16)
- RE: PCI DSS Compliance Lyal Collins (Dec 16)
- Re: PCI DSS Compliance Peter Watkins (Dec 16)
- RE: PCI DSS Compliance Sebastien Deleersnyder (Dec 15)
- RE: PCI DSS Compliance Steve Kerns (Dec 15)
- Re: PCI DSS Compliance Ademar Gonzalez (Dec 15)
- RE: PCI DSS Compliance Lyal Collins (Dec 16)
- Re: PCI DSS Compliance Ademar Gonzalez (Dec 15)
- RE: PCI DSS Compliance Craig Wright (Dec 16)
- RE: PCI DSS Compliance Steven Jones (Dec 16)
- Re: PCI DSS Compliance null0 (Dec 18)
- RE: PCI DSS Compliance Craig Wright (Dec 18)
- Re: PCI DSS Compliance Pete Herzog (Dec 18)
- RE: PCI DSS Compliance Craig Wright (Dec 19)
- Re: PCI DSS Compliance Pete Herzog (Dec 20)
- RE: PCI DSS Compliance Lyal Collins (Dec 20)
- Re: PCI DSS Compliance Pete Herzog (Dec 29)
- RE: PCI DSS Compliance Lyal Collins (Dec 29)
- Re: PCI DSS Compliance Pete Herzog (Dec 20)