WebApp Sec mailing list archives
Re: PCI DSS Compliance
From: Peter Watkins <peterw () usa net>
Date: Wed, 14 Dec 2005 17:45:07 -0500
On Tue, Dec 13, 2005 at 11:36:43AM -0500, Ademar Gonzalez wrote:
A shared hosting client needs to get his site PCI DSS certified. He forwarded us the following request from the company doing the assessment. "Your site could not be certified. Your site appears to be running scan detection software, that has prevented a reliable port scan. This test is inconclusive. Please add our scanner ip: ##.##.##.## to your scan detection software exclusion list to allow our scanner to make a complete assessment of your system." Is this request plain stupid or what ? Comments ?
It looks like the client runs the risk of not being certified 'cause his website is over-protected. How would you proceed in this situation ?
For those unfamiliar with PCIDSS: http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html (I believe Visa/MC/etc. have simliar programs for other regions besides USA.)
From what I've seen, typically the companies who are certified by
Visa, Mastercard, etc. to perform Payment Card Industry Data Security Standard external network audits will announce a ~48 hour window in which they'll scan the network. So the merchant site needs only to disable any auto-response mechanisms for the auditer's IPs for that particular window of time. Remember that the auditers aren't asking for any special access or firewall holes. I think it's reasonable. PCIDSS scanners check a huge number of vulns & services. It'd be pretty awful if the merchant's attack detection and countermeasure system blocked the scan after it had probed missing or "strong" services or apps, but just before the scan found that unpatched server running an OS from three years ago -- a real attacker might be luckier or smarter and get that exploit launched to your client's soft underbelly on the first try. PCIDSS is certainly not perfect, but on balance it's a good thing. Your client should play along, in my opinion. Besides, merchants who take credit card payments are contractually obliged to play along in order to keep accepting credit card payments. Few of us can *afford* to put up principled nit-picking fights about this. On a side note, I've found the PCI DSS standards to be an excellent tool for convincing corporate management to take more aggressive stances on security issues, as the costs of failing to comply, especially if an attacker is every successful in compromising your security, are *huge*. -Peter
Current thread:
- PCI DSS Compliance Ademar Gonzalez (Dec 14)
- Re: PCI DSS Compliance Richard Moore (Dec 15)
- Re: PCI DSS Compliance Roy Britten (Dec 16)
- RE: PCI DSS Compliance Michael Johnson (Dec 16)
- RE: PCI DSS Compliance Syed Mohamed A (Dec 16)
- Re: PCI DSS Compliance Pete Herzog (Dec 18)
- RE: PCI DSS Compliance Syed Mohamed A (Dec 16)
- RE: PCI DSS Compliance Lyal Collins (Dec 16)
- Re: PCI DSS Compliance Peter Watkins (Dec 16)
- <Possible follow-ups>
- RE: PCI DSS Compliance Sebastien Deleersnyder (Dec 15)
- RE: PCI DSS Compliance Steve Kerns (Dec 15)
- Re: PCI DSS Compliance Ademar Gonzalez (Dec 15)
- RE: PCI DSS Compliance Lyal Collins (Dec 16)
- Re: PCI DSS Compliance Ademar Gonzalez (Dec 15)
- RE: PCI DSS Compliance Craig Wright (Dec 16)
- RE: PCI DSS Compliance Steven Jones (Dec 16)
- Re: PCI DSS Compliance null0 (Dec 18)
- RE: PCI DSS Compliance Craig Wright (Dec 18)
- Re: PCI DSS Compliance Pete Herzog (Dec 18)
- RE: PCI DSS Compliance Craig Wright (Dec 19)
(Thread continues...)