From: Michael Hammer (dotzero@gmail.com)
Date: Wed Jun 22 2005 - 16:46:46 EDT
On 6/22/05, Mr Wizard <security.research.2005@gmail.com> wrote:
> Unless you can get the Nessus Open Source Vulnerability Scanner
> project team to certify Nessus with the Visa & MasterCard PCI program,
> I would not advise using this tool for client engagements.
>
> Mr. Wizard.
>
Actually, I think it is the reverse.
Because the scans can only be completed by 3rd parties certified for
PCI compliance scans, even if you could map nessus to PCI requirements
it wouldn't necessarily be useful for any sort of client engagements.
PCI does not test the specific tool(s). It really tests the outcomes
from the use of the tool(s)
Here are a couple of links that might be useful:
https://sdp.mastercardintl.com/vendors/vendor_testing_process.shtml -
This is the process by which scan vendors are tested and qualified.
Note that there is no reference to any particular tools.
https://sdp.mastercardintl.com/vendors/vendor_list.shtml - list of
approved vendors
http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_Qualified_CISP_Assessor_List.pdf
- VISA list of approved vendors.
Mike
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:28 EDT