[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 916
  • Last Modified:

Free PCI Compliance Scan

I need a free PCI compliance scan? Any suggestions?

Thanks!
0
s8web
Asked:
s8web
3 Solutions
 
Rich RumbleSecurity SamuraiCommented:
https://www.pcisecuritystandards.org/pdfs/pci_scanning_procedures_v1-1.pdf
As you can see, no one would do this for free, they have to scan you wireless, and they have to scan all your internal and external hosts. You should also note, that there is no absolute compliance in these types of scan's, you will always get a 1 or higher (1 and 2 are nearly the same) these scan's are also poorly defined, read that document it's abysmal.
Then you should call one or more of the 152 approved PCI ASV's found here:
https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php
Do not call anyone else.
Here is the standard: https://www.pcisecuritystandards.org/security_standards/documents.php?agreements=pcidss&assocation=PCI%20DSS
If your not storing or routing the credit card information, your not bound to PCI, if you have a "shopping cart" that is outsourced (like using pay-pal, google-checkout or others) then you don't have to be PCI compliant.
-rich
0
 
coreybryantCommented:
http://hackerguardian.com/ from Comodo offers a free one but remember, (as pointed out), most of them are trying to sell you something.

First, determine why you need to be PCI compliant, and level.  A lot of companies do not need to have an onsite inspection, they can complete the self-assessment questionnaire.  

Read version 2 though: http://pci-dss.mymerchantaccountblog.com/pci-dss-v2.pdf, Version 1 "expires" on 31 Dec 2011.
0
 
btanExec ConsultantCommented:
Free pco dss scan is actually quite avail with most security vendors and they meted if out as free trial. Importantly, it os the follow through and the ability to interpret what next frm the report generated. Suggest to also engage a qsa or forum of expert to better understand the llan of actions.

 http://www.pcicompliancesaq.com/Free_PCI_Scanning_is_it_Worth_it

 http://www.ncircle.com/index.php?s=products_pci-compliance
0
 
s8webAuthor Commented:
Thanks for the input. Overall I think that the PCI compliance process is a good thing. Someone should press developers and merchants to secure their stuff. The problem I have is that a fair amount of money and time has gone into this, and frankly; it doesn't cost someone much to run an automated penetration test on a site. Since compliance is required, there should be a no cost solution to developers that allows them to run an automated test to see if their application and environment is buttoned down before releasing the product to their customer or unleashing it on the world. The end user would benefit too. Waiting for the authority to come by and scan your stuff takes a few months. This creates a '0-day' scenario for both merchants and customers.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now