WebApp Sec mailing list archives

Re: PCI DSS Compliance

From: Roy Britten <r.britten () niwa co nz>
Date: Thu, 15 Dec 2005 11:28:38 +1300

On Tue, 2005-12-13 at 11:36 -0500, Ademar Gonzalez wrote:

A shared hosting client needs to get his site PCI DSS certified.
He forwarded us the following request from the company doing the assessment.

"Your site could not be certified. Your site appears to be running
scan detection software, that has prevented a reliable port scan. This
test is inconclusive. Please add our scanner ip: ##.##.##.## to your
scan detection software exclusion list to allow our scanner to make a
complete assessment of your system."


From
http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Security_Scanning_Procedures.pdf (or 
http://tinyurl.com/bm7v6):

All compliant scanning vendors are required to conduct scans in
accordance with a defined set of procedures. These procedures dictate
that the normal operation of the customer environment is not to be
impacted and that the vendor should never penetrate or alter the
customer environment

The company performing the assessment is clearly in breach of the
requirements (requiring that the customer environment be altered) -- can
your client choose another scanning vendor?

Roy.

Current thread:

PCI DSS Compliance Ademar Gonzalez (Dec 14)
- Re: PCI DSS Compliance Richard Moore (Dec 15)
- Re: PCI DSS Compliance Roy Britten (Dec 16)
- RE: PCI DSS Compliance Michael Johnson (Dec 16)
  - RE: PCI DSS Compliance Syed Mohamed A (Dec 16)
    - Re: PCI DSS Compliance Pete Herzog (Dec 18)
- RE: PCI DSS Compliance Lyal Collins (Dec 16)
- Re: PCI DSS Compliance Peter Watkins (Dec 16)
- <Possible follow-ups>
- RE: PCI DSS Compliance Sebastien Deleersnyder (Dec 15)
- RE: PCI DSS Compliance Steve Kerns (Dec 15)
  - Re: PCI DSS Compliance Ademar Gonzalez (Dec 15)
    - RE: PCI DSS Compliance Lyal Collins (Dec 16)
- RE: PCI DSS Compliance Craig Wright (Dec 16)

(Thread continues...)