Its not quite as easy as writing a check and doing an nmap scan. Applicant companies have to go through a number of checks to verify their background, insurance coverage, lack of conflict of interest and ability to perform vulnerability scans that meet PCI's requirements. One part of the approval process is to perform a vulnerability scan (not just nmap) on a PCI system. The applicant needs to satisfactorily detect the vulnerabilities on the system and not have too many false positives. At least that is what I was told by a company that was trying to get approved.
The PCI website has a doc detailing the whole review process. I looked at it briefly today and it looked like a fair number of requirements. It probably would be a pain to go through the first time, but would be easier during reviews. https://www.pcisecuritystandards.org/documents/asv_validation_requirements.pdf Jason On Jan 11, 2011, at 3:51 PM, Joel Gunderson <[email protected]> wrote: > So does this basically mean that I have to pay one of those companies to run > nmap against my network from outside the firewall in order to make it count > towards PCI requirements? Does this mean they've had any additional > training, or did they just front the cash to get on the list? > > On Tue, Jan 11, 2011 at 12:43 PM, John Strand <[email protected]> wrote: > To be on the PCI Approved Scanning Vendors, or not.... > > https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php > > Love to get all of your thoughts on this. > > John > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > > -- > Joel Gunderson > [email protected] > > "Defaults are the guardian angels of the clueless." > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
