RE: PCI DSS Compliance

["Craig Wright" <cwright () bdosyd com au>]

No, it is not stupid, it is part of the requirement and there are very
valid reasons for it.

A test needs to find all open ports - it is possible to access open
ports without scanning and as such the test needs to be as inclusive as
possible. Scan detection is NOT over-protection.

Please read the comments and requirements of the PCI DSS. Next is your
company actually on the approved list? If not than there is nothing you
can do - no way for you to fulfil your clients requirements.

If the testing company is on the list, please read the documents and
processes for the test - they explain all this (have them forward you
the documents).

Finally, you seem to be talking about a hosting site - if so you can not
be certified for all clients. PCI DSS requires single use servers,
firewalls from all segments, etc etc etc.

As a hosting site, a SAS 70 certificate is possible - but not PCI DSS -
they are different.

Scan detection is NOT going to add a lot to security. A scan done over a
month from 256 IP addresses will not be detected - and I have done scans
in this manner. Do not fool yourself, close the open ports or block
them.

Craig

-----Original Message-----
From: Ademar Gonzalez [mailto:ademar.gonzalez () gmail com]
Sent: 14 December 2005 3:37
To: webappsec () securityfocus com
Subject: PCI DSS Compliance

A shared hosting client needs to get his site PCI DSS certified.
He forwarded us the following request from the company doing the
assessment.

"Your site could not be certified. Your site appears to be running scan
detection software, that has prevented a reliable port scan. This test
is inconclusive. Please add our scanner ip: ##.##.##.## to your scan
detection software exclusion list to allow our scanner to make a
complete assessment of your system."

Is this request plain stupid or what ? Comments ?

I have deal with this kind of requests in the past and most of the time
the people running this automated scans knows nothing at all about
security nor anything else and it becomes a pain dealing with the client
on one end that wants his website certified and the other guy on the
security company that wants you to open your firewall so hi can run his
nmap or whatever it is they run. It looks like the client runs the risk
of not being certified 'cause his website is over-protected. How would
you proceed in this situation ?


ciao ciao
ademar

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.