View Single Post
  #1   (View Single Post)  
Old 10th July 2008
dk_netsvil dk_netsvil is offline
Real Name: Devon
Fdisk Soldier
 
Join Date: May 2008
Location: New York
Posts: 75
Default Payment Card Industry compliance scanning

Payment Card Industry (PCI) scans are something I get to deal with every day where I am responsible for a data center with a high concentration of e-commerce webservers. For those who have yet to experience this phenomena allow me to explain a little about PCI scans. For an online retailer using, for example, Visa services it is a requirement to submit your website to periodic PCI evaluations or else risk falling out of favor with, in this example, Visa. So you sign up with a service, there are many available, and your website is analyzed on many different levels to determine potential security vulnerabilities. These range from known weaknesses in different versions of apache, mysql, php, openSSH, openSSL, Java, etc. Some of these scans return relatively simple information - your apache version has a known vulnerability, solution: upgrade to version X.

Other scans are so generalized as to be useless - better to send me an email telling me I might as well just spin a wheel and guess.

From a practical administration perspective I appreciate that card companies are attempting, through the mechanism of the PCI scan, to reduce fraud and ultimately improve the name of online credit card processing. And, as an admin, I am well aware that one means of ensuring a high level of compliance is periodically scanning these servers to ensure they are secure. On the other hand, when I get these useless vague scan reports I wonder if it's not also kind of a scam, especially when I call and they are either unwilling to discuss how the scan result came to be determined or if it's something they can't repeat.

Any thoughts?
Reply With Quote