Penetration Testing mailing list archives
RE: VISA/Mastercard PCI Vendor Scanning requirements
From: "Craig Wright" <cwright () bdosyd com au>
Date: Sun, 5 Mar 2006 07:39:59 +1100
Hello The resultant liability still vests with the merchant unless the merchant can demonstrate that the systems that they run where secured to the standard. The burden of proof is on the merchant not the card companies. For this reason it is better to have a provider that does more rather than less. Any plastic as you put it scan is thus not going to be of use and leaves the merchant vulnerable. As such it is no more than burning your money. Remember the thumbs up will not help you if your systems are demonstrated to not be compliant. Take card systems. They tried to hide behind the scan - it did not avail them. Regards Craig -----Original Message----- From: John Kinsella [mailto:jlk () thrashyour com] Sent: Sat 4/03/2006 5:09 AM To: Derek Nash Cc: pen-test () securityfocus com Subject: Re: VISA/Mastercard PCI Vendor Scanning requirements I've only dealt with one PCI scanning company, suppossedly they're one of the larger ones, but their scans are pathetic, to say the least. Basically you're paying them to scan what you to say to scan, and then what to ignore from those results, then you get a thumbs up. John Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.
Current thread:
- VISA/Mastercard PCI Vendor Scanning requirements Derek Nash (Mar 03)
- Re: VISA/Mastercard PCI Vendor Scanning requirements John Kinsella (Mar 04)
- <Possible follow-ups>
- RE: VISA/Mastercard PCI Vendor Scanning requirements Shenk, Jerry A (Mar 04)
- RE: VISA/Mastercard PCI Vendor Scanning requirements Craig Wright (Mar 04)
- Re: VISA/Mastercard PCI Vendor Scanning requirements Derek Nash (Mar 04)
- RE: VISA/Mastercard PCI Vendor Scanning requirements Michael Scheidell (Mar 04)
- RE: VISA/Mastercard PCI Vendor Scanning requirements Craig Wright (Mar 04)
- RE: VISA/Mastercard PCI Vendor Scanning requirements Craig Wright (Mar 04)
- RE: VISA/Mastercard PCI Vendor Scanning requirements Craig Wright (Mar 04)