PCI Scanning Ever Wonder What's Up? - Ecommerce forum at WebmasterWorld - WebmasterWorld

Forum Moderators: buckworks

Message Too Old, No Replies

PCI Scanning Ever Wonder What's Up?

I did a PCI scan using 3 different companies.

bwnbwn

5:50 pm on Sep 22, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I was just curious as to what different companies promoting the secure seal would give so I tested them. All three gave me different problems security issues and none of the issues are true security issues they are all false positives.
This is my problem there seems to be no set standards for a scanner to use so each has there own quirks all trying to get the company to use them to fix the issues the scan exposed.

I smell a scam here and there is no regulations in place to tell these companies what should be checked and what should throw an error. I could in theory throw up a website say I do PCI scanning come up with some erros and then sell you a package that we could fix these errors for you for x price.

Then without much effort since the erros are false positivies fix my security holes and poof I have a secure server seal and all.

Since I already know my server has cleared and I am ok with the cc processor I use I know this, but someone that just gets a notice doesn't have a clue. This is an area I see being exploited by so called security PCI scanners and a seal of approval.

What can a person that gets a notice do to keep from being drawn into theses traps?

rachel123

6:16 pm on Sep 22, 2010 (gmt 0)

10+ Year Member

Be sure your vendor is on the list of ASV per the PCI

[pcisecuritystandards.org...]

and that the scan complies with the standards
[pcisecuritystandards.org...]

There are standards, while vague.

bwnbwn

9:08 pm on Sep 22, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

rachel123 that is a good list thanks for sharing. I am sure it will help many that are looking.

rachel123

12:40 am on Sep 23, 2010 (gmt 0)

10+ Year Member

No problem. You will still get different vulnerabilities from different vendors though, which is maddening. In fact, some services will give you different vulnerabilities from back-to-back or concurrent scans, even though nothing has changed on the server. Also maddening.

HRoth

1:26 am on Sep 23, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Personally, I do think PCI is a scam. My processor offers the choice. You can pass the scan or you can pay an extra twenty bucks a month. That does not sound like a profound concern for security to me. Sounds like a profound concern with money-grubbing. Just another cost of doing business.

enigma1

2:34 pm on Sep 23, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

I do think PCI is a scam

Precisely, also there are countermeasures various sites have, based on the request headers for instance and be configured and so the scan-bots will never get a chance to parse or really check the pages, which doesn't mean the application is secure (block based on IP, generate different content etc). Still they will create a clean report. In my experience is very easy to be PCI "compliant" with any of these vendors.

PS: it's also pointless for pages with active scripts as they cannot parse them in most cases.

ssgumby

2:40 pm on Sep 23, 2010 (gmt 0)

10+ Year Member

Here is a little proof it is about the money.

I use Mcafee Secure. I personally like the badge, think it helps with confidence, and it is nice to have the PCI quarterly report that I can submit to my processor.

However, I recently launched a new site. Something Mcafee was doing literally brought the site to its knees where I had to bounce the site to get it to work again.

I contacted Mcafee and they said they dont hit it too hard and there must be a problem with my site. I agree, but was annoyed. I email back and tell them I need to cancel my service. BAM, my site passes and is not brought down again.

Keep in mind, the site was crashed every single day for two weeks before I contacted them, as soon as they thought they were losing some coin they changed something so my site stays up now.

jwolthuis

9:58 pm on Sep 23, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Something Mcafee was doing literally brought the site to its knees ...

Aren't you curious what it was that they were doing? If my site "crashes", I'm all over it 24/7 until it no longer crashes. If something as tame as McAfee can bring your site to its knees, just think what a pro could do. Just a thought.

ssgumby

1:26 am on Sep 24, 2010 (gmt 0)

10+ Year Member

<quote>
Aren't you curious what it was that they were doing? If my site "crashes", I'm all over it 24/7 until it no longer crashes. If something as tame as McAfee can bring your site to its knees, just think what a pro could do. Just a thought.
</quote>

Yes, very much so. This is a brand new site though with very little traffic and next to no revenue. I have the developers of my cart currently working with Mcafee to figure it out.