Submit Your Article Forum Rules
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: PCI Compliance

  1. #1

    PCI Compliance

    I just found out that we need to have a pci compliance audit run. We are at level 4 the bottom of the list as we do very few transactions.

    Has anyone gone through this process? Can you recommend an auditor?

    What was the audit like?

    Thanks folks.
    "The future is here. It's just not evenly distributed.

  2. #2

    Re: PCI Compliance

    I use ControlScan for my company/web site. The process consisted mainly of subscribing to daily security/vulnerability scans of our web server, web site, and company network, as well as comprehensive questionnaires regarding the steps we take to secure our network. They also provided us with templates for internal security policies that we were able to modify and implement (another requirement). It takes a while to get the paperwork completed, and if you don't have a security plan in place already, you may have a lot of work to do to secure your site and network to ensure compliance, but most auditors will help you get up to spec.
    The best way to learn anything, is to question everything.
    Hidden Content

  3. #3

    Re: PCI Compliance

    Hi Netman,

    Have you heard of Configuresoft's ECM (Enterprise Configuration Manager). Our Center for Policy & Compliance has created a complete toolkit for PCI-DSS that comes with ECM out of the box (we also have SOX, GLBA, HIPAA, FISMA, etc...)

    ECM will discover all servers and desktops touching your network (Win, Unix, Linux) and collect a baseline of all configuration settings, sw,hw, services, permissions, etc... Then using the PCI template ECM will compare all your machines to determine your state of compliance. Then you can use ECM to do full remediation, whether it means pushing out the latest hotfix, stopping a service or changing a security setting in bulk to all machines. Then you can have ECM alert you going forward of any machines drifting away from your standards.

    Let me know if you want to see a demo or you need more info. My email address is and my number is 719-687-1656 Thanks!!

  4. #4

    Re: PCI Compliance

    Our clients have been using Security Metrics, which is literally a pain in the a**.

    I don't know if it's just them or what, but we have pretty competent hosting administrators and they've been unable to get us a passing grade so far (on 2 servers).

  5. #5

    Re: PCI Compliance

    Chowell, I take it that it is your web server that is causing the failure, has your hosting company or the testing company given you any specifics on why you failed? Most of the PCI analysis that I tried (I did demo plans with a few companies before we selected ControlScan) involved quite similar steps - a "procedural audit" which consisted of a questionnaire about our current security practices, and a physical audit consisting of extensive daily or weekly vulnerability scans of our web server and the web-facing side of our company network. If you got through the procedural audit, the physical audit shouldn't give you any problems unless the hosting company is not adequately securing the servers, or a vulnerability exists in your web software.
    The best way to learn anything, is to question everything.
    Hidden Content

  6. #6

    Re: PCI Compliance

    We use Portsentry which I think is going to cause problems, since a lot of ports appear to be open; but really they looking for scans. Also, it shuts down the ip number from which the scan originated which I think is not allowed.
    "The future is here. It's just not evenly distributed.

  7. #7
    Junior Member
    Join Date
    Aug 2003

    Re: PCI Compliance

    My company uses Pegasus Technologies. These guys are top shelf, and really know their stuff.

    Pegasus Technologies


  8. #8

    Re: PCI Compliance

    PortSentry is an IDS, which is recommended and allowed under PCI. The requirement is that the IDS not block traffic from the auditor. The auditor must provide you with a list of IPs that their scans originate from, and you would enter these in your IDS. (For PortSentry, you should add them to the portsentry.ignore file, I believe.)
    The best way to learn anything, is to question everything.
    Hidden Content

  9. #9

    Re: PCI Compliance

    Thanks wige, I've contacted Controlscan
    dfenster Does Pegasus do audits? Saw nothing on their site showing it.

    Do these guys do internal audits? or are they just looking for Internet exposure?
    "The future is here. It's just not evenly distributed.

  10. #10

    Re: PCI Compliance

    dfenster, looking at Pegasus' web site, it looks like they offer vulnerability scans as one of their services, however I do not see any indication on their site that they are licensed or approved by the PCI Security Standards Council, and obtaining quarterly scans by such an approved auditor is a requirement. I would contact them and make sure they are approved, and get a certificate number. The company name is not listed as approved.
    The best way to learn anything, is to question everything.
    Hidden Content

Similar Threads

  1. Trying to use CSS and WC3 compliance
    By Simon Young in forum Web Programming Discussion Forum
    Replies: 4
    Last Post: 07-22-2008, 10:58 AM
  2. W3c Compliance
    By isulong seoph in forum Search Engine Optimization Forum
    Replies: 3
    Last Post: 09-12-2006, 09:24 AM
  3. Better CSS compliance through IE7
    By dutter in forum Web Programming Discussion Forum
    Replies: 0
    Last Post: 08-22-2006, 07:02 PM
  4. W3C Compliance & SEO - Do they Really Care?
    By staker2 in forum Search Engine Optimization Forum
    Replies: 10
    Last Post: 10-06-2005, 01:15 PM
  5. Where's the standards compliance?
    By upperfalls in forum WebProWorld: Guidelines/Announcements/Suggestions
    Replies: 4
    Last Post: 09-22-2005, 04:25 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts