We’ve had some enquiries from customers recently regarding security compliance scans, the most popular of which is the PCI DSS. For those not in the know, this stands for the Payment Card Industry Data Security Standard. It is of course a fascinating topic, covering best-practice standards for processing and storage of customer information.

The enquiries we get relate to a security scan carried out by an Approved Scanning Vendor (ASV). The usual report format is a list of potential “vulnerabilities” detected, with a severity rating of 1 to 5 assigned to each. Anchor’s shared hosting servers never have any problems with this, so the report reads like a missal of mundanity.

TCP port 21 is open, an FTP service appears to be running! Crazy, I know…

The thing is, this scan is really just one small part of a much larger framework. The core requirements of the PCIDSS don’t specify at all how the scan should be performed; it’s really about secure storage and transmission of data, and accountability and auditing.

Do our customers’ applications really encrypt the data they store in the database? I don’t know, but it sure isn’t checked as part of the scan. Requirement 6 is “Develop and maintain secure systems and applications”. Mm-hmm, that’s a good idea…

Security is really a commodity nowadays, a fact highlighted most perfectly in the vending of SSL certificates. In case you hadn’t guessed, the PCIDSS scans we’ve seen can proudly join the ranks. Thankfully there’s scanners who really know where their towel is, looks good to me!

http://www.scanlesspci.com/

http://blogs.zdnet.com/security/?p=1114

http://jeremiahgrossman.blogspot.com/2008/04/my-blog-is-pci-certified-by-scanless.html

Tags: compliance, pcidss, scanning, security

This entry was posted by Barney Desmond on Tuesday, December 9th, 2008 at 12:46 pm and is filed under WTF. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.