Re: PCI Compliance (Vulnerability Scans)

["Vivek Chudgar" <vchudgar () gmail com>]

Correction - Level 2 and 3 merchants are also required to have
external vuln scans by an ASV. Level 4 merchants are exempt but their
acquirer can still require them to be scanned by an ASV.

If a tool is just looking for ports 22,23,25,80 and 445 for service
discovery, I highly doubt if it can pass the certification
requirement.

You are also right about the level of automation possible. Manual
verification is necessary to eleminate false positives.

- Vivek

On 12/17/06, David M. Zendzian <dmz () dmzs com> wrote:
> First, why are you looking for a PCI compliant tool?
>
> Second there are only 2 reasons to do vulnerability scanning. If you are
> level 1 (merchant, service provider or hacked entity:) then you are
> required to have external vulnerability scans by one of the authorized
> scanning providers. There is no need here for software as the service
> provider does all the work and provides you results.
>
> If you are looking to do your scans internally, there is no specific
> needs outlined by PCI for internal vulnerability scans. PCI only says
> you need to perform vulnerability scans. With that in mind, Nessus scans
> work internally :)
>
> What are you trying to accomplish?
>
> David (Visa-QDSP)
>
> 09sparky () gmail com wrote:
> > Thanks for all the great information (all).  I am now wondering though, if you use an automated tool (VA Scanner that claims to be 
> PCI compliant), does that mean whatever it finds and whatever it rates it (i.e. HIGH), is the final word, and the company fails? I guess 
> what I am asking, I was under the impression that PCI scans could be much automated and very little to no user intervention was required 
> (unlike a Vulnerability Assessment/Penetration test).  However, many automated tools have false positives.  Doesn't a company fail 
> if they have any "HIGH" findings? With that said, are you required to go through each finding and validate?  If so, then you 
> have just turned it into a Vulnerability Assessment.
> >
> > Also, The Automated Tool I have been evaluating claims to be PCI compliant.  However, for its discovery phase, it 
> only uses ports 22,23,25,80 and 445.  Upon finding any Host with these ports open, it will then run a common port scan.  
> Is this way off?  What do most of you do for host discovery (i.e. nmap scans of what ports? or different tools?
> >
> > Any thoughts?
> > Thanks,
> > Sparky
> >
> > ------------------------------------------------------------------------
> > This List Sponsored by: Cenzic
> >
> > Need to secure your web apps?
> > Cenzic Hailstorm finds vulnerabilities fast.
> > Click the link to buy it, try it or download Hailstorm for FREE.
> > http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> > ------------------------------------------------------------------------
> >
> >
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------