Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

netVigilance's Ten Actions Merchants Must Immediately Take To Avoid PCI Failure


Published on

netVigilance, the only vulnerability assessment and PCI Approved Scanning Vendor (ASV) vendor that goes Beyond Compliance to detect up to 97% of all common vulnerabilities, today issued an urgent bulletin warning all merchants and retailers subject to PCI-DSS Compliance that new PCI regulations significantly increase their chances of PCI failure during mandatory quarterly external vulnerability scans, unless the merchants take corrective actions.

The need for this bulletin arose because on March 15, 2010, the PCI Security Standards Council’s (PSI SSC) released “ASV Program Guide v1.0,” which tightens and changes existing rules governing both customers requiring PCI scans and the Approved Scanning Vendors (ASVs) who perform those scans. netVigilance also calls attention to the fact that, despite being numbered as v1.0, the new ASV Program Guide governs PCI v1.2 and supersedes the Technical and Operation Requirements for ASVs v1.1 and Security Scanning Procedures v1.1.

Full press release at:

Published in: Technology
  • Be the first to comment

  • Be the first to like this

netVigilance's Ten Actions Merchants Must Immediately Take To Avoid PCI Failure

  1. 1. Ten Actions Merchants Must Take Immediately To Avoid PCI Failure The Impact of the New PCI Compliance Rules Issued on March 15, 2010 Start
  2. 2. 1. Identify & verify out-of-scope components <ul><li>New discovery rules make formerly out-of-scope components in-scope </li></ul><ul><li>Identify & verify before quarterly scan fails </li></ul><ul><li>Examples: </li></ul><ul><ul><li>Spam filters </li></ul></ul><ul><ul><li>Mail servers </li></ul></ul><ul><ul><li>Web servers that don’t process credit cards </li></ul></ul>
  3. 3. 2. Prove your ISP complies with PCI <ul><li>Your ISP can pass by itself; or </li></ul><ul><li>You need their permission to scan them </li></ul><ul><li>Otherwise, get a new ISP </li></ul><ul><li>Ultimately, the responsibility is yours, not your ISP’s </li></ul>
  4. 4. 3. Take all secure database servers off the Internet and place them behind a firewall <ul><li>If any secure database server remains publicly accessible, you will automatically fail PCI </li></ul>
  5. 5. 4. Scan your website for HTTP response splitting/header injection <ul><li>Be prepared to remediate all problems found </li></ul>
  6. 6. 5. Verify that your DNS server prohibits zone transfers <ul><li>Zone transfers allow unaffiliated, unapproved third parties to see and obtain all the servers comprising your domain </li></ul><ul><li>If someone else hosts your domain, you are still responsible </li></ul><ul><li>Consequence of allowed zone transfers is automatic PCI failure </li></ul>
  7. 7. 6. Ensure your ASV uses a PCI-qualified Professional Security Engineer to review each and every scan <ul><li>ASVs often use fully automated processes </li></ul><ul><li>These automated processes are never acceptable under the new rules </li></ul><ul><li>To pass PCI you must use an ASV that adheres to the new rules </li></ul>
  8. 8. 7. Turn off SSL v2 <ul><li>SSL v2 is considered insecure (weak) </li></ul><ul><li>Ensure that servers are using TLS v1.0 or newer </li></ul><ul><li>Turn off backwards compatibility with the weaker SSL v2 is turned off </li></ul><ul><li>Use a qualified ASV to verify and remediate </li></ul>
  9. 9. 8. Remove all non-critical uses of all remote access software <ul><li>Examples: </li></ul><ul><ul><li>pcAnywhere </li></ul></ul><ul><ul><li>VNC </li></ul></ul><ul><ul><li>RDP </li></ul></ul><ul><ul><li>Even VPN </li></ul></ul><ul><li>For critical uses: </li></ul><ul><ul><li>Ensure strong authentication </li></ul></ul>
  10. 10. 9. Move all POS (Point-of-Sale) systems behind the firewall <ul><li>ASVs that discover POS systems are now required to pay special attention to them </li></ul>
  11. 11. 10. Named employees must sign and attest to their company’s responsibility <ul><li>Attestation concerns proper scoping of the external scan </li></ul><ul><li>Attestation can no longer be anonymous </li></ul>
  12. 12. netVigilance Key Advantages <ul><li>Beyond Compliance™ Compliance is simply not enough. It is a minimum, rather than a maximum standard. Only netVigilance detects up to 97% of all common vulnerabilities, far more than competitors. </li></ul><ul><li>Labor- and Time-Saving Reports Our reports provide a wealth of specific detail on precisely how to remediate the vulnerabilities we detect. Instead of spending time researching a fix, engineers and support personnel spend their time making the fix. </li></ul>
  13. 13. For More Information <ul><li>netVigilance, Inc. 14525 SW Millikan #34423 Beaverton, OR, USA 97005-2343 (+1) 503-524-5758 </li></ul><ul><li>PR & Analyst Contact: Steven Mason </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>(+1) 650-776-7968 </li></ul></ul>