My company used a service from Qualys called "QualysGuard PCI" and it did a good job of identifying vulnerabilities with our hosting environment. I don't think application vulnerability (penetration testing) was covered.
It wasn't cheap. The cost was $795/year, which allowed us to use their service to scan up to nine unique IP addresses concurrently. More concurrent IPs cost more money, but you are allowed to swap out IPs without too much hassle.
Like many application service providers, Qualys does not advertise prices on their website for their numerous and confusing product lines. You have to fill out a contact form and then talk to a salesperson. Fortunately, mine was helpful and not too pushy. Still, it's irritating (to me) when companies use price-hiding as a sales tactic.
In my opinion, PCI compliance has become something of a racket. Instead of solving security issues with technical innovation, the payment card industry formed a council and shifted the problem to their customers. Then a lucrative cottage industry of QSAs, PA-QSAs, ASVs, and ISAs (all PITAs) sprung up. It's expensive and burdensome, especially for smaller operations. I look forward to when transactions are authenticated better by the providers.
Anyhow. Good luck, Steve!
Jason
Hi,
I've been asked to provide a pci scan report for several websites and could use a recommendation for a pci scanning product, preferably at a reasonable cost. I have found some "free" ones, but I thought I'd ask the list what you use, if anything.
Also, feel free to share any opinions on PCI scans you may have.
Thanks,
Steve
---------------------------------------------------------------------
To unsubscribe, e-mail: talk-unsubscribe-4zcLI8jJc/***@public.gmane.org
Please read and follow the list guidelines:
http://www.tcphp.org/mailing_list/guidelines
The tcphp.org mailing list is sponsored by pajunas interactive, inc.