--- Jason Ledford <[EMAIL PROTECTED]> wrote:
> I was just wondering if nessus is capable of providing reports of PCI > compliance and if anyone has any tips on how to get it working. What perspective are you coming from? As a merchant or service provider being audited or as a vendor performing the audit? The talk below addresses the vendor perspective. Which PCI Compliance are we talking about here, too? There's a bunch ;-) PCI Data Security Standard (DSS) PCI Security Audit Procedures PCI Self-Assessment Questionnaire PCI Network Security Scan Requirements The last one is ran by MasterCard that most merchants and service providers need to have done on a quarterly basis. Nessus works wonders here and I along with another peer got our company certified as an external vendor with Nessus (and some other tools and glue). There's the internal VISA-ran PCI certification (DSS), which I'm also a QDSP and the company I'm with is a QDSC. The internal is a audit covering many controls above and beyond Nessus (or any automated tools) scope. It requires the above quarterly scan along with a pentest. The pentest, though, does not need to be done by a qualified external vendor and one can pick whatever poison one wishes for this (e.g. CANVAS). Nessus won't do much good when this is the control: "Establish, publish, maintain, and disseminate a security policy that: Addresses all requirements in this specification [...]" So, if you're talking about the PCI quarterly, yeah, sure. But you have to pay to become compliant and also certified by MasterCard, and it has to be done by a third-party, not the person being tested. HTH, Jon __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
