From: Craig Wright (cwright@bdosyd.com.au)
Date: Fri Mar 03 2006 - 20:21:59 EST
Hello,
Actually there is no requirement that all scans be completed off site. We do both audit and scanning. So I have no issues with differentiation and what I mentioned prior would not make even the planning phase of an audit.
First the vendor needs to be on the list of approved parties for the level they are planning to do. The simplest requirement is to do simple scans. I will cover these requirements later in the message. The requirements are more complex for the onsite audit.
Next for the scan. There is NO requirement to go onsite but also nothing to stop the vendor doing so in order to achieve the level of confidence that is manditory. The requirements is that all systems with an externally facing IP address are scanned. This is not that a scan be conducted solely from an external location.
Next the standard Pen Test - lets see what we can break mentality does not work. Visa states "the vendor should never penetrate or alter the customer environment". The vendor has a right to ask for information under the standard. To take a section that needs to be checked off - not from the audit but for ALL merchants including those with only "scan requirements".
"Are all routers, switches wireless access points and firewall configurations secured and do they conform to documented security standards"
I have asked this to the list before and never obtained an answer, so I will ask again. How can a external Pen Test alone not only check all vulnerabilities including switches and ALSO check that a system conforms to documented standards? How for that matter can a pen test check that the client has actually documented their systems?
Without penetrating the system or causing damage (see Visa PCI requirements), how do you propose to ensure that "there is a virus scanner installed on all servers and on all workstations, and is the virus scanner regularly updated"?
You can not send a virus and this would not check updating anyway. These issues are in the list of vulnerabilities that must be checked.
Just the internal self assurance check list is far more onerous than what is completed in most pen tests. I again reiterate, "external scanning" is but a small part of the whole test. Just as most of the issuing authorities (ie banks) are not checking compliance to the required level at the moment does nothing to stop the end party risk. The contract is between the Card issuer and the end party as well. The bank may not care - but they are not the one who will be sued for breach.
Regards
Craig
-----Original Message-----
From: Derek Nash [mailto:ddnash@gmail.com]
Sent: Sat 4/03/2006 9:51 AM
To: Craig Wright
Cc: pen-test@securityfocus.com
Subject: Re: VISA/Mastercard PCI Vendor Scanning requirements
Although you are correct in that it doesn't state a blind test. The
sample environment you are required to scan for certification is a
remote environment which precludes an onsite visit and normal data
information gathering phases that would be performed during a full
security assessment.
PCI testing is narrow in scope and specific in its requirements. I am
simply trying to determine what others are doing to meet the minimum
requirements to perform a PCI scan under the industry requirements.
Please do not confuse this with a PCI audit which is a much larger
undertaking and more closely matches a "full on" security assessment.
On 3/3/06, Craig Wright <cwright@bdosyd.com.au> wrote:
>
> Hello,
> Real testing. Nothing in the VISA statement of terms includes BLIND. Never is the word mentioned. It is ONLYmentioned when vendors seek an excuse (ie Cable and Wireless and last years little incident).
>
>
Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.
DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.
Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.
BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:36 EDT