Re: PCI Question

[Jason Wood <tadaka () gmail com>]

I would imagine that those who already do vulnerability scans and
penetration tests get requests for PCI scans from their current customers.
 As long as you don't hate PCI and refuse to be a part of it, whether or not
to do it is probably straight forward.

Are you able to provide a quality service?  (A quick gut check for any
service)  Is not being an ASV interfering with your ability to provide for
your customer's needs?  Does the possible income from the scans make it
worth the hassle and cost of getting approved and maintaining qualification?

Pros
--------
 - You don't have to walk away from customer's who want to use your services
because you're not an ASV.
 - PCI requires quarterly scans, so vendors can have a steady revenue flow
as long as they do good work.
 - A visible third party has checked out your company and put their seal of
approval on you.  A little reputation boost that might help with work
unrelated to PCI.

Cons
---------
 - The hassle of getting approved by PCI Council, including any costs
associated with the process
 - Being subject to a third party telling you how to do a scan, whether you
agree with that or not.
 - Possible increase in insurance costs.



Jason


On Tue, Jan 11, 2011 at 11:43 AM, John Strand <strandjs () gmail com> wrote:

> To be on the PCI Approved Scanning Vendors, or not....
>
>
> https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php
>
> Love to get all of your thoughts on this.
>
> John
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com



-- 

irc: Tadaka
Twitter:  Jason_Wood
jwnetworkconsulting.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com