Security Basics mailing list archives
RE: PCI DSS Scanners
From: Bill Montgomery <Bill.Montgomery () cadre net>
Date: Tue, 3 Apr 2012 20:43:04 +0000
I agree with Chelsea Budkzo and would like to expand on that sentiment. For more info on PCI-DSS, just go to the website of the PCI Security Standards Council at https://www.pcisecuritystandards.org/index.php. PCI-DSS is a rather large segment of the security market. The website will have documentation, templates, and anything else you could ever want to know about "doing a PCI DSS scan". There are legal responsibilities, certifications, and fines associated with incorrectly navigating these waters. Make sure you know what you're doing and how well it matches up with what your client needs, or what they've been told by their bank that they need. There are a variety of tools that can be used for assessing PCI-DSS compliance - it depends on what part of the PCI-DSS you're evaluating. Secure use of payment card data encompasses everything from rogue wireless detection to firewall configs; from physical security to encryption keys. There is no "suite" type tool that does everything. Usually when the moniker "PCI-DSS scan" is heard is in reference to the quarterly external vulnerability scan. These are commonly known as ASV scans due to the requirement that they be performed by an Approved Scanning Vendor. There are a number of these listed on the PCI website and the scans are priced pretty reasonably. Some of them are on-line. Just buy one and tell it what to scan. Again, the PCI site will have all the legit info. Bill Montgomery PCI-DSS QSA Cadre Information Security Cincinnati, OH -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Chelsea Budzko Sent: Tuesday, April 03, 2012 12:22 PM To: security-basics () securityfocus com Subject: Re: PCI DSS Scanners PCI DSS is much more than a scan, which to my understanding is based on the presence, or lack of encryption levels sufficient to meet that PCI DSS piece of the entire requirement, which to seriously test would include an in-depth, person-to-person AND device config review, as well as the general topology of the said network. I have always found the advertisements for scanners and 'pci compliant' email clients to be hype only. They might provide the needed encryption, but the cannot in and of themselves make an organization PCI DSS compliant. hope this helps On 4/3/12 2:31 AM, skiera99 wrote:
Hi all, I need to perform a PCI DSS scan for one client. I am looking for the frameworks to do that. So far I tried: - Nessus - Rapid7 NeXpose Do you know anything else? ---------------------------------------------------------------------- -- Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4 42f727d1 ---------------------------------------------------------------------- --
-- Chelsea Budkzo Information Services University of Oregon 541-346-1651 ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- PCI DSS Scanners skiera99 (Apr 03)
- Re: PCI DSS Scanners TAS (Apr 03)
- Re: PCI DSS Scanners haZard0us (Apr 03)
- RE: PCI DSS Scanners Phillip Fernandes (Apr 03)
- Re: PCI DSS Scanners Chelsea Budzko (Apr 03)
- RE: PCI DSS Scanners Bill Montgomery (Apr 03)
- Re: PCI DSS Scanners skiera99 (Apr 03)
- Re: PCI DSS Scanners pentester (Apr 11)
- RE: PCI DSS Scanners Mike Vella (Apr 11)
- Re: PCI DSS Scanners Livio Gario (Apr 12)
- Re: RE: PCI DSS Scanners Adam Pal (Apr 12)
- RE: PCI DSS Scanners Mike Vella (Apr 11)
- <Possible follow-ups>
- Re: RE: PCI DSS Scanners goswamituhin (Apr 04)