[CentOS] Recommendation for a Good Vulnerability Scanning Service?

Sun Feb 20 23:58:35 UTC 2011
Ian Forde <ianforde at gmail.com>

On Fri, 2011-02-18 at 15:09 -0500, Michael B Allen wrote:
> Are you talking about the SAQC? I run all CC transactions through one
> CentOS VPS webserver (actually I have two servers that I periodically
> wipe out and alternate between every year or two). So I don't have POS
> terminals or any Windows PCs in the mix. We don't save any card holder
> data at all. So my SAQC was a breeze. I just had to add N/A for
> questions like the "do you run anti-virus software" and explain that
> everything goes through the one Linux machine for which no anti-virus
> software exists or is necessary.

You're going to want to go to www.pcisecuritystandards.org for the full
scoop.  I'd advise you to have your counsel examine the PCI DSS
documents.  IANAL, but I recall from version 2.0 of the doc found at
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
(click-through agreement required) that, and I quote from page 7: "PCI
DSS applies wherever account data is stored, processed or transmitted".

So it's not about saving data per se.  Just the act of having it
transmitted to your systems may (again, IANAL) make PCI DSS apply.

I've been dealing with PCI Compliance at work for a few years.  It's not
really something you want to skimp through, as the fines can be quite
severe when things go wrong.  As I said, you may want to talk to your
lawyer...

	-I