On Fri, Feb 18, 2011 at 2:36 PM, m.roth@5-cent.us wrote:
Hi, there,
Michael B Allen wrote:
Can someone recommend a good vulnerability scanning service? I just need the minimum for PCI compliance (it's a sort of credit card processing certification).
"Sort of"? ROTFL. You need a *serious* scan, commercially done AFAIK.
Hi Mark,
Hackerguiardian is a commercial service (it's actually "COMODO CA Limited"). Their scan looks thorough. Obviously they're just matching up version numbers with CVE notices but I have a feeling most of these guys are going to be doing the same thing. I was just hoping one would be more sophisticated about the fact that ALL of their "Fail" items I've checked so far are things that were backported or fixed by Redhat.
The *minimum* qualifications, I believe, are a 60 or 63 item questionaire; for full PCI-DSS, it's something like 243 questions, and you need a full IT dept.
Are you talking about the SAQC? I run all CC transactions through one CentOS VPS webserver (actually I have two servers that I periodically wipe out and alternate between every year or two). So I don't have POS terminals or any Windows PCs in the mix. We don't save any card holder data at all. So my SAQC was a breeze. I just had to add N/A for questions like the "do you run anti-virus software" and explain that everything goes through the one Linux machine for which no anti-virus software exists or is necessary.
I would *very* strongly recommmend that you talk to the bank or agency that's asking you for this, and ask them for recommendations.
If you mean my merchant account service, they claim to be the largest Authorized.Net reseller, they sanity checked my SAQC and thought I would be ready for approval as soon as I get a good scan.
So trustwave and Qualys ... I'll check them out.
Thanks, Mike