RE: PCI DSS Scanners

[Bill Montgomery <Bill.Montgomery () cadre net>]

I agree with Chelsea Budkzo and would like to expand on that sentiment.

For more info on PCI-DSS, just go to the website of the PCI Security Standards Council at 
https://www.pcisecuritystandards.org/index.php.

PCI-DSS is a rather large segment of the security market. The website will have documentation, templates, and anything 
else you could ever want to know about "doing a PCI DSS scan".

There are legal responsibilities, certifications, and fines associated with incorrectly navigating these waters. Make 
sure you know what you're doing and how well it matches up with what your client needs, or what they've been told by 
their bank that they need. 

There are a variety of tools that can be used for assessing PCI-DSS compliance - it depends on what part of the PCI-DSS 
you're evaluating. Secure use of payment card data encompasses everything from rogue wireless detection to firewall 
configs; from physical security to encryption keys. There is no "suite" type tool that does everything.

Usually when the moniker "PCI-DSS scan" is heard is in reference to the quarterly external vulnerability scan. These 
are commonly known as ASV scans due to the requirement that they be performed by an Approved Scanning Vendor. There are 
a number of these listed on the PCI website and the scans are priced pretty reasonably. Some of them are on-line. Just 
buy one and tell it what to scan.

Again, the PCI site will have all the legit info.

Bill Montgomery
PCI-DSS QSA
Cadre Information Security
Cincinnati, OH

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Chelsea Budzko
Sent: Tuesday, April 03, 2012 12:22 PM
To: security-basics () securityfocus com
Subject: Re: PCI DSS Scanners

PCI DSS is much more than a scan, which to my understanding is based on the presence, or lack of encryption levels 
sufficient to meet that PCI DSS piece of the entire requirement, which to seriously test would include an in-depth, 
person-to-person AND device config review, as well as the general topology of the said network.  I have always found 
the advertisements for scanners and 'pci compliant' email clients to be hype only.  They might provide the needed 
encryption, but the cannot in and of themselves make an organization PCI DSS compliant.
hope this helps

On 4/3/12 2:31 AM, skiera99 wrote:
> Hi all,
>
> I need to perform a PCI DSS scan for one client. I am looking for the 
> frameworks to do that. So far I tried:
> - Nessus
> - Rapid7 NeXpose
>
> Do you know anything else?
>
> ----------------------------------------------------------------------
> -- Securing Apache Web Server with thawte Digital Certificate In this 
> guide we examine the importance of Apache-SSL and who needs an SSL 
> certificate.  We look at how SSL works, how it benefits your company 
> and how your customers can tell if a site is secure. You will find out 
> how to test, purchase, install and use a thawte Digital Certificate on 
> your Apache web server. Throughout, best practices for set-up are 
> highlighted to help you ensure efficient ongoing management of your 
> encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
> 42f727d1
>
> ----------------------------------------------------------------------
> --

--
Chelsea Budkzo
Information Services
University of Oregon
541-346-1651


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and 
who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell 
if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your 
Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing 
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------