http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_Qualified_Data_Security_Company_List.pdf
I hope you aren't looking to turn scan reports from nessus in to VISA. That I'm sure will make their day. Only PCI compliance reports (and scan reports) from a QDSC are accepted by VISA, so you can scan all you want with *insert tool here* but it wont be accepted by VISA. How ever you can and SHOULD be scanning before a QDSC is called into do the final audit/scan/report for compliance.
And the default output of nessus should be enough to build a project plan for PCI compliance around.
Dre
On 3/16/06,
Utin Mikhail A CONT NPRI <[EMAIL PROTECTED]> wrote:
I would say that the question is incorrect. If you check the standard's text (I have January 2005 version) what is says is that vulnerability scanning should be done externally and internally, at least quarterly or after significant change. You can run Nessus quarterly and will be in compliance. However, it is possibly very bad idea to run once in three months. In the text there is "product upgrades" as well. So, to be save, you need scanning after each MS (or other vendors) patch applied. Is it logical suggestion from vulnerability mitigation point of view? Not really. You need an initial scan, which possibly will bring some vulnerable hosts, and final, which shows zero. However, more likely you will need several scans before you get target "zero'. DoD, for instance, requires initial scan and weekly ones until zero number of vulnerable hosts.
Mikhail Utin
AIS Security
[EMAIL PROTECTED]
401-832-6584
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jason Ledford
Sent: Wednesday, March 15, 2006 10:28 PM
To: [email protected]
Subject: PCI Compliance
I was just wondering if nessus is capable of providing reports of PCI compliance and if anyone has any tips on how to get it working.
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
