RE: nessus to PCI

["Burnett, Robert" <burnettr () Fortrex com>]

Yes.  For the most part, it hasn't been too difficult.  Occasionally,
the PCI risk categories can be a little frustrating because there is
some room for interpretation, or there may be a vuln that doesn't seem
to fit exactly into one of the following categories:

Urgent - Trojan Horses, file read and writes exploit, remote command
execution 

Critical - Potential Trojan Horses, file read exploit 

High - Limited exploit of read, directory browsing and denial of service
(DoS)


The "Limited exploit of read" phrase is one that can sometimes make it
difficult for me to classify a vuln, but as I said before, it's only
occasionally that I have issues.

Is there a particular finding that you are having difficulty with, or
were you just posing a general question?


-Robert


-----Original Message-----
From: ctodude () yahoo com [mailto:ctodude () yahoo com] 
Sent: Tuesday, June 21, 2005 11:37 AM
To: pen-test () securityfocus com
Subject: nessus to PCI

Has anyone had any luck mapping nessus results to the Payment Card
Industry (PCI) Data Security standard?

-----------------------------------------------------------------

Confidentiality Notice
The content of this communication, along with any attachments, 
is covered by federal and state law governing electronic 
communications and may contain confidential and legally privileged 
information.  If the reader of this message is not the intended 
recipient, you are hereby notified that any dissemination, 
distribution, use or copying of the information contained herein is 
strictly prohibited.  If you have received this communication in 
error, please immediately contact us by telephone at (301) 977-6966 
or e-mail info () fortrex com.  Thank you.