Thank you very much for this reply. We currently use Qualys for all of our outward facing services and I was just trying to get a better understanding of this type of report and what I can produce that can compare to that report. I am not trying to hand a nessus report over to visa, but trying to hand a report over to my higher up sys admins. But I would like to have a second opinion of sorts when looking at scan results and be able to compare instead of just take what the results say as the final word.
Thanks for all who replied to this On Thu, 16 Mar 2006 15:56:14 -0800, "John Scherff" <[EMAIL PROTECTED]> wrote: > Jason, > > Actually, the requirement is to use a "qualified independent scan > vendor," which has absolutely nothing to do with QDSC (qualified data > security company). > > You can get a list of qualified independent scan vendors here: > https://sdp.mastercardintl.com/vendors/vendor_list.shtml. > > You can get a list of QDSC companies here: > http://usa.visa.com/download/business/accepting_visa/ops_risk_management > /cisp_Qualified_Data_Security_Company_List.pdf?it=c|%2Fbusiness%2Faccept > ing_visa%2Fops_risk_management%2Fcisp_service_providers%2Ehtml|Qualified > %20Data%20Security%20Company%20List > > And the requirement to use a qualified independent scan vendor only > applies to public-facing systems, not internal ones. Both internal and > internal systems, however, must be scanned on a quarterly-basis, but > only those that are in scope for PCI (meaning they store, process, or > transmit cardholder information, provide authentication services for > in-scope systems, or provide network services for in-scope systems). > You can get the complete requirements for scanning here: > http://usa.visa.com/download/business/accepting_visa/ops_risk_management > /cisp_PCI_Security_Scanning_Procedures.pdf?it=search. Note that there > aren't any nessus "PCI Plug-ins," and if you read the detailed audit > procedures, you'll see that it would be almost impossible to do. > > You can get the detailed security audit procedures here: > http://usa.visa.com/download/business/accepting_visa/ops_risk_management > /cisp_PCI_Security_Audit_Procedures_and_Reporting.doc?it=il|/business/ac > cepting_visa/ops_risk_management/cisp_tools_faq.html|PCI%20Security%20Au > dit%20Procedures > > The QDSC only comes into play for Level I merchants (firms that process > more than 6 million card transactions per year), and it's not a > requirement. Those firms must have an on-site assessment performed by a > QDSC **OR** must conduct an internal audit and have an officer of the > company attest to the accuracy and completeness of the audit (by his/her > signature on the Report on Compliance). In my experience, most company > officers are very hesitant to do that. Note that having an internal > audit done by an independent auditor that is not a QDSC still requires > the company officer signature on the RoC. Also note that the big four > (Earnst & Young, Deloitte & Touche, etc.) are NOT on the QDSC list. > > Also, VISA doesn't take scan reports from anyone, and they don't take > anything from merchants. Merchants, or QDSCs acting on behalf of > merchants, submit the completed PCI Security Audit Procedures (the 50+ > page audit test, analysis and validation document) along with the signed > RoC to the acquiring banks. The acquiring banks report to the payment > card association. Merchants do not deal directly with VISA, MasterCard, > or any other card company. Ever. As a final note on scan reports, you > should NEVER provide scan results to ANY entity outside your > organization. If auditors ask for it, give them a hardcopy, monitor > their use of it, and make them give it back to you. > > Finally, if your company doesn't process at least 6,000,000 card > transactions per year, none of this on-site assessment stuff applies. > All Level 2 and 3 companies have to do is a 75 (or so) question > self-assessment questionnaire and hire a third-party independent scan > vendor > > To certain other parties who responded to Jason's message: If you're > going to answer a question, please make sure it's accurate and > well-researched. PCI is difficult enough without bad scoop from other > security professionals. > > R/ John Scherff > 24 Hour Fitness > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Andre Ludwig > Sent: Thursday, March 16, 2006 9:12 AM > To: Utin Mikhail A CONT NPRI > Cc: [email protected] > Subject: Re: PCI Compliance > > > > Something Something "certified scan vendors for compliance > verification" Something Something > > > http://usa.visa.com/download/business/accepting_visa/ops_risk_management > /cisp_Qualified_Data_Security_Company_List.pdf > > I hope you aren't looking to turn scan reports from nessus in to > VISA. That I'm sure will make their day. Only PCI compliance reports > (and scan reports) from a QDSC are accepted by VISA, so you can scan all > you want with *insert tool here* but it wont be accepted by VISA. How > ever you can and SHOULD be scanning before a QDSC is called into do the > final audit/scan/report for compliance. > > And the default output of nessus should be enough to build a > project plan for PCI compliance around. > > Dre > > > On 3/16/06, Utin Mikhail A CONT NPRI <[EMAIL PROTECTED]> > wrote: > > I would say that the question is incorrect. If you check > the standard's text (I have January 2005 version) what is says is that > vulnerability scanning should be done externally and internally, at > least quarterly or after significant change. You can run Nessus > quarterly and will be in compliance. However, it is possibly very bad > idea to run once in three months. In the text there is "product > upgrades" as well. So, to be save, you need scanning after each MS (or > other vendors) patch applied. Is it logical suggestion from > vulnerability mitigation point of view? Not really. You need an initial > scan, which possibly will bring some vulnerable hosts, and final, which > shows zero. However, more likely you will need several scans before you > get target "zero'. DoD, for instance, requires initial scan and weekly > ones until zero number of vulnerable hosts. > > Mikhail Utin > AIS Security > [EMAIL PROTECTED] > 401-832-6584 > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jason Ledford > Sent: Wednesday, March 15, 2006 10:28 PM > To: [email protected] > Subject: PCI Compliance > > I was just wondering if nessus is capable of providing > reports of PCI compliance and if anyone has any tips on how to get it > working. > > _______________________________________________ > Nessus mailing list > [email protected] > http://mail.nessus.org/mailman/listinfo/nessus > _______________________________________________ > Nessus mailing list > [email protected] > http://mail.nessus.org/mailman/listinfo/nessus > > > > > _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
