Jason,
Actually, the requirement is to use a "qualified
independent scan vendor," which has absolutely nothing to do with QDSC
(qualified data security company).
You can get a
list of qualified independent scan vendors here: https://sdp.mastercardintl.com/vendors/vendor_list.shtml.
You can get a list of QDSC companies here: http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_Qualified_Data_Security_Company_List.pdf?it=c|%2Fbusiness%2Faccepting_visa%2Fops_risk_management%2Fcisp_service_providers%2Ehtml|Qualified%20Data%20Security%20Company%20List
And the requirement to use a qualified independent scan
vendor only applies to public-facing systems, not internal ones.
Both internal and internal systems, however, must be scanned on a
quarterly-basis, but only those that are in scope for PCI (meaning they store,
process, or transmit cardholder information, provide authentication services for
in-scope systems, or provide network services for in-scope systems). You
can get the complete requirements for scanning here: http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Security_Scanning_Procedures.pdf?it=search.
Note that there aren't any nessus "PCI Plug-ins," and if you read the
detailed audit procedures, you'll see that it would be almost impossible to
do.
You can get the detailed security audit procedures here: http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Security_Audit_Procedures_and_Reporting.doc?it=il|/business/accepting_visa/ops_risk_management/cisp_tools_faq.html|PCI%20Security%20Audit%20Procedures
The QDSC only comes into play for Level I merchants
(firms that process more than 6 million card transactions per year), and it's
not a requirement. Those firms must have an on-site assessment
performed by a QDSC **OR** must conduct an internal
audit and have an officer of the company attest to the accuracy and completeness
of the audit (by his/her signature on the Report on Compliance). In my
experience, most company officers are very hesitant to do that. Note that
having an internal audit done by an independent auditor that is not a QDSC
still requires the company officer signature on the RoC. Also note
that the big four (Earnst & Young, Deloitte & Touche, etc.) are NOT on
the QDSC list.
Also, VISA doesn't take scan reports from anyone, and they
don't take anything from merchants. Merchants, or QDSCs acting on
behalf of merchants, submit the completed PCI Security Audit Procedures (the 50+
page audit test, analysis and validation document) along with the signed
RoC to the acquiring banks. The acquiring banks report to the payment card
association. Merchants do not deal directly with VISA, MasterCard, or any
other card company. Ever. As a final note on scan reports, you should
NEVER provide scan results to ANY entity outside your organization. If
auditors ask for it, give them a hardcopy, monitor their use of it, and make
them give it back to you.
Finally, if your company doesn't process at least 6,000,000
card transactions per year, none of this on-site assessment stuff applies.
All Level 2 and 3 companies have to do is a 75 (or so) question self-assessment
questionnaire and hire a third-party independent scan vendor
To certain other parties who responded to Jason's
message: If you're going to answer a question, please make sure it's
accurate and well-researched. PCI is difficult enough without
bad scoop from other security professionals.
R/ John
Scherff
24 Hour
Fitness
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Andre Ludwig
Sent: Thursday, March 16, 2006 9:12 AM
To: Utin Mikhail A CONT NPRI
Cc: [email protected]
Subject: Re: PCI Compliance
Sent: Thursday, March 16, 2006 9:12 AM
To: Utin Mikhail A CONT NPRI
Cc: [email protected]
Subject: Re: PCI Compliance
Something Something "certified scan vendors for compliance verification" Something Something
http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_Qualified_Data_Security_Company_List.pdf
I hope you aren't looking to turn scan reports from nessus in to VISA. That I'm sure will make their day. Only PCI compliance reports (and scan reports) from a QDSC are accepted by VISA, so you can scan all you want with *insert tool here* but it wont be accepted by VISA. How ever you can and SHOULD be scanning before a QDSC is called into do the final audit/scan/report for compliance.
And the default output of nessus should be enough to build a project plan for PCI compliance around.
Dre
On 3/16/06, Utin Mikhail A CONT NPRI <[EMAIL PROTECTED]> wrote:I would say that the question is incorrect. If you check the standard's text (I have January 2005 version) what is says is that vulnerability scanning should be done externally and internally, at least quarterly or after significant change. You can run Nessus quarterly and will be in compliance. However, it is possibly very bad idea to run once in three months. In the text there is "product upgrades" as well. So, to be save, you need scanning after each MS (or other vendors) patch applied. Is it logical suggestion from vulnerability mitigation point of view? Not really. You need an initial scan, which possibly will bring some vulnerable hosts, and final, which shows zero. However, more likely you will need several scans before you get target "zero'. DoD, for instance, requires initial scan and weekly ones until zero number of vulnerable hosts.
Mikhail Utin
AIS Security
[EMAIL PROTECTED]
401-832-6584
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jason Ledford
Sent: Wednesday, March 15, 2006 10:28 PM
To: [email protected]
Subject: PCI Compliance
I was just wondering if nessus is capable of providing reports of PCI compliance and if anyone has any tips on how to get it working.
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
