HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 39 guests online
 
Free Business and Tech Magazines and eBooks

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Compliance, Regulations & Standardsarrow Approved Scanning Vendor - PCI
EH-Net
May 19, 2013, 06:43:46 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Approved Scanning Vendor - PCI  (Read 6322 times)
0 Members and 1 Guest are viewing this topic.
24772433
Newbie
*
Offline Offline

Posts: 33


View Profile
« on: January 13, 2013, 12:16:05 PM »
Is it possible for an individual to perform a PCI scan or does that person have to be a member of an approved company (ASV)? Can somebody qualified to conduct PCI scans do this on a freelance basis?

Thanks in advance!
Logged
3xban
Hero Member
*****
Offline Offline

Posts: 605


View Profile WWW
« Reply #1 on: January 13, 2013, 08:42:55 PM »
Check their site out for answers: https://www.pcisecuritystandards.org/approved_companies_providers/become_qsa.php

Based on the language there, I'd say you would need to be an employee of a vetted QSA firm.
Logged
Certs: GCWN
(@)Dewser
ziggy_567
Sr. Member
****
Offline Offline

Posts: 361


View Profile
« Reply #2 on: January 14, 2013, 10:20:29 AM »
External scan reports must be generated through an ASV company. An important distinction is that the person running the scan does not have to be an employee of the ASV company. You can manage your own scans through the ASV's portal. The report will contain a page that has the ASV number associated with the company that performed the scan. If you're ever audited or have to submit your report to your acquiring bank, the auditor/bank will be looking for that number on the report. Basically, you cannot scan your own perimeter with your own copy of Nessus, generate a report, and say you're compliant. It must be done by an ASV company.

Internal scan reports can be done by anyone knowledgeable in Vulnerability Scanning/Management. It should not be managed by a person responsible for maintaining the systems being scanned, though (separation of duties).

Hope that helps.
« Last Edit: January 14, 2013, 10:52:14 AM by ziggy_567 » Logged
--
Ziggy


eCPPT - GSEC - GCIH - GCUX - RHCE - SCSecA - Security+ - Network+
24772433
Newbie
*
Offline Offline

Posts: 33


View Profile
« Reply #3 on: January 14, 2013, 11:16:29 AM »
Thanks for the replies, guys. All very helpful.
Logged
ziggy_567
Sr. Member
****
Offline Offline

Posts: 361


View Profile
« Reply #4 on: January 14, 2013, 01:51:39 PM »
Also, after re-reading your original post, I see there might be some confusion on what an ASV is.

A company is certified as being an ASV. The "V" stands for vendor. There are not individual (person) ASVs. You can verify this by browsing the published list:

https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php#

Any person can use the ASV products of any of these companies to produce scan reports that will be accepted for a PCI QSA audit. It doesn't matter if you are an employee of an ASV, the company being scanned, or some other third-party.
Logged
--
Ziggy


eCPPT - GSEC - GCIH - GCUX - RHCE - SCSecA - Security+ - Network+
tturner
Sr. Member
****
Offline Offline

Posts: 432


View Profile WWW
« Reply #5 on: January 14, 2013, 04:31:49 PM »
Internal scans can be done by any "qualified" internal security person. PCI does not define what qualified means but I suspect the day will come when they start requiring internal folks to become ISA or PCIP. Your QSA determines whether this is being properly managed, not the council. Yes, much room for interpretation. Welcome to PCI.

External (internet facing) scans must be done by the ASV. The ASV MUST do the scanning but you will have access to the reports. The ASV will also handle documentation for exceptions. The ASV is responsible for the validity of that scan, and their license depends on its accuracy. The customer cannot manage that process but they can certainly work with their ASV for remediation consulting and providing documentation to support requested exceptions. What confuses people is you might have access to manage a hosted scanner in your ASV environment. It's not the same as the ASV console.

ASV certification IS awarded to qualified individuals but only if they work for an ASV company. See https://www.pcisecuritystandards.org/training/asv_training.php for more info
« Last Edit: January 14, 2013, 04:35:02 PM by tturner » Logged
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, OPSE, CSWAE, CSTP, VCP

WIP: OSWP, GSSP-JAVA, GXPN

Udacity on hold, again. I suck.

http://sentinel24.com/blog  @tonylturner http://bsidesorlando.org
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.095 seconds with 22 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.