[CentOS] Recommendation for a Good Vulnerability Scanning Service?

Mon Feb 21 03:20:48 UTC 2011
Michael B Allen <ioplex at gmail.com>

On Sun, Feb 20, 2011 at 6:58 PM, Ian Forde <ianforde at gmail.com> wrote:
> On Fri, 2011-02-18 at 15:09 -0500, Michael B Allen wrote:
>> Are you talking about the SAQC? I run all CC transactions through one
>> CentOS VPS webserver (actually I have two servers that I periodically
>> wipe out and alternate between every year or two). So I don't have POS
>> terminals or any Windows PCs in the mix. We don't save any card holder
>> data at all. So my SAQC was a breeze. I just had to add N/A for
>> questions like the "do you run anti-virus software" and explain that
>> everything goes through the one Linux machine for which no anti-virus
>> software exists or is necessary.
>
> You're going to want to go to www.pcisecuritystandards.org for the full
> scoop.  I'd advise you to have your counsel examine the PCI DSS
> documents.  IANAL, but I recall from version 2.0 of the doc found at
> https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
> (click-through agreement required) that, and I quote from page 7: "PCI
> DSS applies wherever account data is stored, processed or transmitted".
>
> So it's not about saving data per se.  Just the act of having it
> transmitted to your systems may (again, IANAL) make PCI DSS apply.

Hi Ian,

Right. But a lot of the questions in the SAQC are like "9.7.a Is
strict control maintained over the internal or external distribution
of any kind of media that contains cardholder data?". But if you don't
save cardholder data, this simply does not apply to me. I think a lot
of retailers probably have many employees using PCs to look at
transaction details like names, the last 4 digits of the card number
and so on. In this case, the methods for doing so need to be secured
and the PCs being used need anti-virus updated regularly, etc. Since
my webserver only sees CC data for the few seconds it takes for
Authorize.Net to respond to the POST to their server, none of section
9 does even applies. If you're a retailer with 10 stores and 30 POS
terminals, yeah, PCI compliance is a bigger job. If my CC transactions
go through one webserver and no data is stored, I don't suspect this
will be too difficult to handle myself.

Although I'm not compliant yet. We'll see. I have to pass the scan
first and right now it's complaining about things like SMTP listening
on 2525, ssl cipher strength and blah, blah, blah. Presumably I just
have to go through each and explain that something was backported,
that running on 2525 is quite deliberate and fix things like permitted
ciphers.

Mike