RE: VISA/Mastercard PCI Vendor Scanning requirements

["Craig Wright" <cwright () bdosyd com au>]

Hello,
Actually there is no requirement that all scans be completed off site. We do both audit and scanning. So I have no 
issues with differentiation and what I mentioned prior would not make even the planning phase of an audit.
 
First the vendor needs to be on the list of approved parties for the level they are planning to do. The simplest 
requirement is to do simple scans. I will cover these requirements later in the message. The requirements are more 
complex for the onsite audit.
 
Next for the scan. There is NO requirement to go onsite but also nothing to stop the vendor doing so in order to 
achieve the level of confidence that is manditory. The requirements is that all systems with an externally facing IP 
address are scanned. This is not that a scan be conducted solely from an external location.
 
Next the standard Pen Test - lets see what we can break mentality does not work. Visa states "the vendor should never 
penetrate or alter the customer environment". The vendor has a right to ask for information under the standard. To take 
a section that needs to be checked off - not from the audit but for ALL merchants including those with only "scan 
requirements".
 
"Are all routers, switches wireless access points and firewall configurations secured and do they conform to documented 
security standards"
 
I have asked this to the list before and never obtained an answer, so I will ask again. How can a external Pen Test 
alone not only check all vulnerabilities including switches and ALSO check that a system conforms to documented 
standards? How for that matter can a pen test check that the client has actually documented their systems?
 
Without penetrating the system or causing damage (see Visa PCI requirements), how do you propose to ensure that "there 
is a virus scanner installed on all servers and on all workstations, and is the virus scanner regularly updated"?
 
You can not send a virus and this would not check updating anyway. These issues are in the list of vulnerabilities that 
must be checked.
 
Just the internal self assurance check list is far more onerous than what is completed in most pen tests. I again 
reiterate, "external scanning" is but a small part of the whole test. Just as most of the issuing authorities (ie 
banks) are not checking compliance to the required level at the moment does nothing to stop the end party risk. The 
contract is between the Card issuer and the end party as well. The bank may not care - but they are not the one who 
will be sued for breach.
 
Regards
Craig

        -----Original Message----- 
        From: Derek Nash [mailto:ddnash () gmail com] 
        Sent: Sat 4/03/2006 9:51 AM 
        To: Craig Wright 
        Cc: pen-test () securityfocus com 
        Subject: Re: VISA/Mastercard PCI Vendor Scanning requirements
        
        

        Although you are correct in that it doesn't state a blind test. The
        sample environment you are required to scan for certification is a
        remote environment which precludes an onsite visit and normal data
        information gathering phases that would be performed during a full
        security assessment.
        
        PCI testing is narrow in scope and specific in its requirements. I am
        simply trying to determine what others are doing to meet the minimum
        requirements to perform a PCI scan under the industry requirements.
        
        Please do not confuse this with a PCI audit which is a much larger
        undertaking and more closely matches a "full on" security assessment.
        
        
        On 3/3/06, Craig Wright <cwright () bdosyd com au> wrote:
        >
        > Hello,
        > Real testing. Nothing in the VISA statement of terms includes BLIND. Never is the word mentioned. It is 
ONLYmentioned when vendors seek an excuse (ie Cable and Wireless and last years little incident).
        >
        > 


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.  

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.