RE: VISA/Mastercard PCI Vendor Scanning requirements

From: Craig Wright (cwright@bdosyd.com.au)
Date: Sat Mar 04 2006 - 15:39:59 EST

• Next message: Brandon: "The ultimate online pharmacy"
• Previous message: Craig Wright: "RE: Where to get recognizable, 3rd party security audits?"
• Maybe in reply to: Derek Nash: "VISA/Mastercard PCI Vendor Scanning requirements"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello
The resultant liability still vests with the merchant unless the merchant can demonstrate that the systems that they run where secured to the standard. The burden of proof is on the merchant not the card companies.
 
For this reason it is better to have a provider that does more rather than less. Any plastic as you put it scan is thus not going to be of use and leaves the merchant vulnerable. As such it is no more than burning your money.
 
Remember the thumbs up will not help you if your systems are demonstrated to not be compliant. Take card systems. They tried to hide behind the scan - it did not avail them.
 
Regards
Craig

        -----Original Message-----
        From: John Kinsella [mailto:jlk@thrashyour.com]
        Sent: Sat 4/03/2006 5:09 AM
        To: Derek Nash
        Cc: pen-test@securityfocus.com
        Subject: Re: VISA/Mastercard PCI Vendor Scanning requirements
        
        

        I've only dealt with one PCI scanning company, suppossedly they're one
        of the larger ones, but their scans are pathetic, to say the least.
        Basically you're paying them to scan what you to say to scan, and then
        what to ignore from those results, then you get a thumbs up.
        
        John
        
        

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.

• Next message: Brandon: "The ultimate online pharmacy"
• Previous message: Craig Wright: "RE: Where to get recognizable, 3rd party security audits?"
• Maybe in reply to: Derek Nash: "VISA/Mastercard PCI Vendor Scanning requirements"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:36 EDT