WebApp Sec mailing list archives

Re: PCI DSS Compliance

From: null0 () nepea com au
Date: Mon, 19 Dec 2005 09:53:38 +1100

The wording of the standard is in section 2-3. It basically states that anIPS/IDS is not to interfere with the scan. It does not NOT say that it "MUSTbe disabled at least for the IP address conducting the vulnerability scan".It lists a number of options, that can be used in order to prevent theIPS/IDS interfering with the scan.At the end of the day, is it such a bad thing for the CC companies to belaying down an industry benchmark for the safe use of Credit Card processingand storage?I understand that there may be issues with the state if security atcompanies, but since when has security through obscurity been the 'donething'.Personally I would very much like to know about my network, andapplications, especially if they had issues that could ultimately prevent mycompany doing business with Visa or Mastercard.null0

-----Original Message-----

From: Lyal Collins [mailto:lyal.collins () key2it com au]Sent: Thursday, 15 December 2005 9:34 AM

To: 'Ademar Gonzalez'; webappsec () securityfocus com

Subject: RE: PCI DSS Compliance

If you read the PCI scanning requirements, any IPS/IDP solution MUST be
disabled at least for the IP address conducting the vulnerability scan,
for
the duration of the test.
See the documentation on scanning on sdp.mastercardintl.com, page 2-2 of
"Security Scanning

Requirements for Vendors."

However, if it's a firewall that's actively blocking/locking out the
port
scanning IP, then maybe the port scan can be conducted slower to get
under
the threshold, or a firewall rule adjustment performed for the duration
of

the test period.

PCI requires a accurate vulnerability scan. Any PCI accredited scanner
provider would imho, be within their obligated rights to not issue a
'compliant' report in the event they can't perform a meaningful

vulnerability test.

Ultimately, I think its up to your client, the scanning company and
youur
firm to negotiate a way for a meaningful vulnerability scan to be

conducted.

Of course, it may be that the message they provided is boilerplate, and
not

accurately reporting the situation they see.My 2centsLyal

-----Original Message-----

From: Ademar Gonzalez [mailto:ademar.gonzalez () gmail com]Sent: Wednesday, 14 December 2005 3:37 AM

To: webappsec () securityfocus com

Subject: PCI DSS Compliance


A shared hosting client needs to get his site PCI DSS certified. He
forwarded us the following request from the company doing the

assessment.

"Your site could not be certified. Your site appears to be running scan
detection software, that has prevented a reliable port scan. This test
is
inconclusive. Please add our scanner ip: ##.##.##.## to your scan
detection
software exclusion list to allow our scanner to make a complete
assessment

of your system."Is this request plain stupid or what ? Comments ?

I have deal with this kind of requests in the past and most of the time
the
people running this automated scans knows nothing at all about security
nor
anything else and it becomes a pain dealing with the client on one end
that
wants his website certified and the other guy on the security company
that
wants you to open your firewall so hi can run his nmap or whatever it is
they run. It looks like the client runs the risk of not being certified
'cause his website is over-protected. How would you proceed in this

situation ?


ciao ciao

ademar

_____________________________________________________________________This e-mail has been scanned for viruses by MCI's Internet ManagedScanning Services - powered by MessageLabs. For further informationvisit http://www.mci.com

**********************************************************************
This e-mail message and any attachments are intended only for the use of the addressee(s) named above and may contain 
information that is privileged and confidential. If you are not the intended recipient, any display, dissemination, 
distribution, or copying is strictly prohibited.   If you believe you have received this e-mail message in error, 
please immediately notify the sender by replying to this e-mail message or by telephone to (02) 9646 9222. Please 
delete the email and any attachments and do not retain the email or any attachments in any form.
**********************************************************************

Current thread:

RE: PCI DSS Compliance, (continued)
- - RE: PCI DSS Compliance Syed Mohamed A (Dec 16)
    - Re: PCI DSS Compliance Pete Herzog (Dec 18)
- RE: PCI DSS Compliance Lyal Collins (Dec 16)
- Re: PCI DSS Compliance Peter Watkins (Dec 16)
- RE: PCI DSS Compliance Sebastien Deleersnyder (Dec 15)
- RE: PCI DSS Compliance Steve Kerns (Dec 15)
  - Re: PCI DSS Compliance Ademar Gonzalez (Dec 15)
    - RE: PCI DSS Compliance Lyal Collins (Dec 16)
- RE: PCI DSS Compliance Craig Wright (Dec 16)
- RE: PCI DSS Compliance Steven Jones (Dec 16)
- Re: PCI DSS Compliance null0 (Dec 18)
- RE: PCI DSS Compliance Craig Wright (Dec 18)
  - Re: PCI DSS Compliance Pete Herzog (Dec 18)
- RE: PCI DSS Compliance Craig Wright (Dec 19)
  - Re: PCI DSS Compliance Pete Herzog (Dec 20)
    - RE: PCI DSS Compliance Lyal Collins (Dec 20)
    - Re: PCI DSS Compliance Pete Herzog (Dec 29)
    - RE: PCI DSS Compliance Lyal Collins (Dec 29)
- RE: PCI DSS Compliance Craig Wright (Dec 20)
  - Re: PCI DSS Compliance Roberto Tanara (Dec 21)
    - RE: PCI DSS Compliance Lyal Collins (Dec 21)

(Thread continues...)