Results 1 to 6 of 6
  1. #1
    Join Date
    Apr 2001
    Montana USA

    Arrow managing PCI scan reports

    With the rise of PCI compliance headaches, we are seeing more and more 20-page PDF reports from various security vendors, sent in by our customers.

    The reports universally get it wrong and identify many issues that do not exist, or require research to explain away. Sometimes this can take hours.

    Has anyone else developed some sort of customer policy so that the non-customers (security vendors) aren't sapping our time?

    For example, we're considering requiring our customers to work with the security vendor (who works for them) to distill the reports into only those action items that must be resolved or explained away in order to "pass"*, and that each must be identified by CVE.

    Anyone else have a similar policy or strategy or advice?

    * I know passing one of these scans does not constitute PCI Compliance, but it seems like the security vendors think so.
    John Masterson
    Former Hosting Company Owner

  2. #2

    We are not alone; you are not alone.



    * Three in five of the respondents polled expressed the opinion that they lacked sufficient resources to comply with PCI DSS.

    * "Companies devote 35 per cent of their IT security budgets to PCI compliance on average, making cost a significant obstacle, especially for smaller companies," explained Amichai Shulman, CTO of data security firm Imperva, which commissioned the study. "This is why Imperva is recommending that the PCI DSS Council modify the requirements for larger and smaller companies to take into account different environments and security needs."


    PCI Compliance Scanning vendors have gotten better over the years where the false positives are on the decrease.

    I used to get so frustrated several years ago when the scanning results were just horrible for false positives.

    You know, if you went to a doctor who looked at you and stated you were the opposite sex, decades younger, 8 months pregnant (when not pregnant), etc. you would call the doctor a quack, and never go back. That plus the doctor would hopefully soon not be able to practice.

    Yet, the PCI Compliance Standards committee did no such thing, and the cost (time is money) of just responding to false positives was very high.

    In 2009, I've seen the false positives drop dramatically; so that's a good thing. Granted, the costs have not dropped dramatically, and will actually sky rocket in 2010 with VISA PA DSS certification of software that touches credit card data being a requirement.

    What I recommend doing is making sure your own hosting (i.e. automation system / control panel, mail server, web server, etc.) is PCI Compliant. That is to state, go through the process yourself.

    That will help you understand the reports better, get rid of the false positives, and provide a foundation for getting rid of any similar false positives for your customers (i.e. you can point back to false positive Y on date X) which saves a lot of time.

    You could also come up with a form the customer can fill out which just takes in the areas where they didnít pass the PCI Compliance scan; that should significantly shorten the data you receive.

    Thank you.
    Peter M. Abraham
    LinkedIn Profile

  3. #3
    Join Date
    Apr 2001
    Montana USA
    Thanks for the suggestions, and that article link.

    We decided to try and push the work back on the security vendors, since they're the ones getting paid. We updated our FAQ (search on 'pci' in our support section if interested) with a notice to security vendors that we don't want their 60-page PDF, we just want the specific items (with CVE IDs) that they require to declare the customer "compliant".

    The one we dealt with today is charging our mutual customer $50/month for 'non-compliance', in addition to whatever their scanning fee is, and their website brags that they have 30 years of combined experience.
    John Masterson
    Former Hosting Company Owner

  4. #4
    Yes, we pretty much do the same thing when a customer drops one of these "PCI security reports" on our desk.

    We ask the website owner to let us know exactly what changes they require, in point by point form. It's up to THEM to interpret the report.. not us.

    Then we also offer our service at an hourly rate if they want to hire us to interpret the report and work with the security firm to figure out what is needed so the customer will pass their test.
    Want to sell domain names? Sign up today for an reseller account from a trusted eNom ETP provider.
    * We provide support and service to over 3245 happy eNom domain name and SSL certificate resellers!

  5. #5
    Join Date
    Jun 2009
    What is your relationship to the customer? Is it software that you have written that they are using? Or are you just hosting it?

  6. #6
    Join Date
    Apr 2001
    Montana USA
    I was talking about situations where we merely host the site.

    A report of a vulnerability in software we wrote for customer would obviously require closer scrutiny.
    John Masterson
    Former Hosting Company Owner

Similar Threads

    By John Nousis in forum Domain Name Offers
    Replies: 0
    Last Post: 11-23-2005, 04:46 AM
  2. managing VPS, managing dedicated
    By zinneken in forum Dedicated Server
    Replies: 1
    Last Post: 04-18-2004, 12:00 PM
  3. scan.
    By reanncw in forum Hosting Security and Technology
    Replies: 5
    Last Post: 11-28-2003, 07:46 AM
  4. Thank you for the reports...
    By Chicken in forum Web Hosting Lounge
    Replies: 0
    Last Post: 10-31-2001, 05:11 AM
  5. ftp scan???
    By davidb in forum Hosting Security and Technology
    Replies: 2
    Last Post: 08-27-2001, 09:54 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts