WebApp Sec mailing list archives
Re: PCI DSS Compliance
From: null0 () nepea com au
Date: Mon, 19 Dec 2005 09:53:38 +1100
The wording of the standard is in section 2-3. It basically states that an IPS/IDS is not to interfere with the scan. It does not NOT say that it "MUST be disabled at least for the IP address conducting the vulnerability scan". It lists a number of options, that can be used in order to prevent the IPS/IDS interfering with the scan. At the end of the day, is it such a bad thing for the CC companies to be laying down an industry benchmark for the safe use of Credit Card processing and storage? I understand that there may be issues with the state if security at companies, but since when has security through obscurity been the 'done thing'. Personally I would very much like to know about my network, and applications, especially if they had issues that could ultimately prevent my company doing business with Visa or Mastercard. null0
-----Original Message-----From: Lyal Collins [mailto:lyal.collins () key2it com au] Sent: Thursday, 15 December 2005 9:34 AMTo: 'Ademar Gonzalez'; webappsec () securityfocus comSubject: RE: PCI DSS ComplianceIf you read the PCI scanning requirements, any IPS/IDP solution MUST be disabled at least for the IP address conducting the vulnerability scan, for the duration of the test. See the documentation on scanning on sdp.mastercardintl.com, page 2-2 of "Security ScanningRequirements for Vendors."However, if it's a firewall that's actively blocking/locking out the port scanning IP, then maybe the port scan can be conducted slower to get under the threshold, or a firewall rule adjustment performed for the duration ofthe test period.PCI requires a accurate vulnerability scan. Any PCI accredited scanner provider would imho, be within their obligated rights to not issue a 'compliant' report in the event they can't perform a meaningfulvulnerability test.Ultimately, I think its up to your client, the scanning company and youur firm to negotiate a way for a meaningful vulnerability scan to beconducted.Of course, it may be that the message they provided is boilerplate, and notaccurately reporting the situation they see. My 2cents Lyal-----Original Message-----From: Ademar Gonzalez [mailto:ademar.gonzalez () gmail com] Sent: Wednesday, 14 December 2005 3:37 AMTo: webappsec () securityfocus comSubject: PCI DSS ComplianceA shared hosting client needs to get his site PCI DSS certified. He forwarded us the following request from the company doing theassessment."Your site could not be certified. Your site appears to be running scan detection software, that has prevented a reliable port scan. This test is inconclusive. Please add our scanner ip: ##.##.##.## to your scan detection software exclusion list to allow our scanner to make a complete assessmentof your system." Is this request plain stupid or what ? Comments ?I have deal with this kind of requests in the past and most of the time the people running this automated scans knows nothing at all about security nor anything else and it becomes a pain dealing with the client on one end that wants his website certified and the other guy on the security company that wants you to open your firewall so hi can run his nmap or whatever it is they run. It looks like the client runs the risk of not being certified 'cause his website is over-protected. How would you proceed in thissituation ?ciao ciaoademar_____________________________________________________________________ This e-mail has been scanned for viruses by MCI's Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com********************************************************************** This e-mail message and any attachments are intended only for the use of the addressee(s) named above and may contain information that is privileged and confidential. If you are not the intended recipient, any display, dissemination, distribution, or copying is strictly prohibited. If you believe you have received this e-mail message in error, please immediately notify the sender by replying to this e-mail message or by telephone to (02) 9646 9222. Please delete the email and any attachments and do not retain the email or any attachments in any form. **********************************************************************
Current thread:
- RE: PCI DSS Compliance, (continued)
- RE: PCI DSS Compliance Syed Mohamed A (Dec 16)
- Re: PCI DSS Compliance Pete Herzog (Dec 18)
- RE: PCI DSS Compliance Syed Mohamed A (Dec 16)
- RE: PCI DSS Compliance Lyal Collins (Dec 16)
- Re: PCI DSS Compliance Peter Watkins (Dec 16)
- RE: PCI DSS Compliance Sebastien Deleersnyder (Dec 15)
- RE: PCI DSS Compliance Steve Kerns (Dec 15)
- Re: PCI DSS Compliance Ademar Gonzalez (Dec 15)
- RE: PCI DSS Compliance Lyal Collins (Dec 16)
- Re: PCI DSS Compliance Ademar Gonzalez (Dec 15)
- RE: PCI DSS Compliance Craig Wright (Dec 16)
- RE: PCI DSS Compliance Steven Jones (Dec 16)
- Re: PCI DSS Compliance null0 (Dec 18)
- RE: PCI DSS Compliance Craig Wright (Dec 18)
- Re: PCI DSS Compliance Pete Herzog (Dec 18)
- RE: PCI DSS Compliance Craig Wright (Dec 19)
- Re: PCI DSS Compliance Pete Herzog (Dec 20)
- RE: PCI DSS Compliance Lyal Collins (Dec 20)
- Re: PCI DSS Compliance Pete Herzog (Dec 29)
- RE: PCI DSS Compliance Lyal Collins (Dec 29)
- Re: PCI DSS Compliance Pete Herzog (Dec 20)
- Re: PCI DSS Compliance Roberto Tanara (Dec 21)
- RE: PCI DSS Compliance Lyal Collins (Dec 21)