By: PCIGuru
Organizations using SAQ A have outsourced everything, so by definition they have no technology to be scanned. In the case of organizations using SAQ B, there are only credit card terminals provided by...
View ArticleBy: Akash
Dear PCIGuru, Hope you are doing fine. I need a small clarification form you. It is with regards to defining the scope for PCI. As per my understanding, there are Four main things which we should...
View ArticleBy: PCIGuru
Be careful with your first point. You are correct as long as you include the statement that all of those have access to bulk, unencrypted cardholder data. For example, cashiers or call center personnel...
View ArticleBy: PCIGuru
You are correct. SAQ C and SAQ C-VT were developed primarily in response to the concerns of the fast food industry. Remember, under SAQ C you are not allowed to be storing cardholder data on any of...
View ArticleBy: NRS
The reason why we have selected SAQ C is because we obtain and transmit card holder data via web services. The card data never gets stored at rest. I see that as eCommerce. The primary web server where...
View ArticleBy: PCIGuru
That is not my decision. That decision can only be made by your acquiring bank. I think you have a reasonable case for doing the SAQ C, but that is just my opinion.
View ArticleBy: NRS
Hello again. We just completed our external vulnerability scan. The question is – do we need to remediate vulnerability rated as a PCI failure under Potential Vulnerabilities section?
View ArticleBy: PCIGuru
Yes, you have 30 days to remediate the failing vulnerabilities and then you must have your ASV perform a rescan proving that all of the failing vulnerabilities have been remediated. Since an amount of...
View ArticleBy: NRS
Hi! we use corporate desktops / laptops as a virtual terminal to process exception based credit card data that we get over the phone. We have installed HIPS so logically separate them and to protect...
View ArticleBy: Gene Shapiro
Internal Vulnerability Scanning Requirements I am new to PCI and looking at what needs to be done to implement it. I have read the PCI 2 requirements and I see the need to do internal vulnerabilty...
View ArticleBy: PCIGuru
Yes, internal vulnerability scanning is a vulnerability scan of the internal portion of the cardholder data environment (CDE). That would include infrastructure such as firewalls, routers, switches,...
View ArticleBy: Hunter
HI, I have a query with regards to vulnerability scanning and penetration testing. How important is it to conduct PT if my scan results are clean? Where I’m coming from is, in my understanding,...
View ArticleBy: PCIGuru
“Clean” scanning results are all in the eye of the beholder. :) When you indicate you have a clean scan, do you have NO vulnerabilities identified (my definition of “clean”)? Or, do you have...
View ArticleBy: Bil
A penetration tester should do more than just take the results of a vulnerability scan and work with vulnerabilities identified on that. They should also do information gathering, and look a each of...
View ArticleBy: PCIGuru
Yes, there is more to penetration testing than just using the vulnerability scan. Any good security testing methodology will be requiring information gathering throughout the process whether it is...
View ArticleBy: Swamy
PCIGuru, We had our environment on Amazon assessed by a PCI partners, what I would like to know is they had found bunch of vulns that are categorized as NON PCI low vuln… Do we need to resolve them to...
View ArticleBy: PCIGuru
Vulnerabilities with a CVSS score of 4 or greater need to be patched within 30 days. Other vulnerabilities need to be patched, but there is time frame specified by the PCI DSS. That said, depending on...
View ArticleBy: Ernie
It has been suggested by our previous QSA that even though we do not have an internet facing presence, that our hardware needs to have internal vulnerability scan perform. So I’ve done that and now...
View ArticleBy: PCIGuru
Requirement 6.2 specifically calls out CVSS scores of 4.0 or greater or a vendor patch rated as “critical” must be addressed within 30 days. Vulnerabilities with a CVSS below 4.0 cannot create a fail...
View Article
