Penetration Testing mailing list archives

RE: VISA/Mastercard PCI Vendor Scanning requirements

From: "Craig Wright" <cwright () bdosyd com au>
Date: Sun, 5 Mar 2006 07:39:59 +1100

Hello
The resultant liability still vests with the merchant unless the merchant can demonstrate that the systems that they
run where secured to the standard. The burden of proof is on the merchant not the card companies.

For this reason it is better to have a provider that does more rather than less. Any plastic as you put it scan is thus
not going to be of use and leaves the merchant vulnerable. As such it is no more than burning your money.

Remember the thumbs up will not help you if your systems are demonstrated to not be compliant. Take card systems. They
tried to hide behind the scan - it did not avail them.

Regards
Craig

-----Original Message-----
From: John Kinsella [mailto:jlk () thrashyour com]
Sent: Sat 4/03/2006 5:09 AM
To: Derek Nash
Cc: pen-test () securityfocus com
Subject: Re: VISA/Mastercard PCI Vendor Scanning requirements

I've only dealt with one PCI scanning company, suppossedly they're one
of the larger ones, but their scans are pathetic, to say the least.
Basically you're paying them to scan what you to say to scan, and then
what to ignore from those results, then you get a thumbs up.

John

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference,
interception, corruption or unauthorised access.

Current thread:

VISA/Mastercard PCI Vendor Scanning requirements Derek Nash (Mar 03)
- Re: VISA/Mastercard PCI Vendor Scanning requirements John Kinsella (Mar 04)
- <Possible follow-ups>
- RE: VISA/Mastercard PCI Vendor Scanning requirements Shenk, Jerry A (Mar 04)
- RE: VISA/Mastercard PCI Vendor Scanning requirements Craig Wright (Mar 04)
  - Re: VISA/Mastercard PCI Vendor Scanning requirements Derek Nash (Mar 04)
- RE: VISA/Mastercard PCI Vendor Scanning requirements Michael Scheidell (Mar 04)
- RE: VISA/Mastercard PCI Vendor Scanning requirements Craig Wright (Mar 04)
- RE: VISA/Mastercard PCI Vendor Scanning requirements Craig Wright (Mar 04)
- RE: VISA/Mastercard PCI Vendor Scanning requirements Craig Wright (Mar 04)