http://blog.clearnetsec.com/articles/tag/visa en-us 40 Today I was talking with a colleague from a partner company about the PCI certification - I think he's up for recertification. <p> </p> The interesting thing is he was talking to a Qualys representative recently whom, affably speaking, offered tips on how to tune the Qualys scans based on new modifications made at Mastercard's test lab. The representative also said he could review the report Qualys automatically builds. My colleague exclaimed to me "It sounded like they already have the answers". <p> </p> Of course they do. Qualys pays PCI to verify their ability to discover what PCI wants them to discover. People pay and use Qualys so they can become PCI certified. Anybody willing to click "start scan" has the ability to be an Approved Scanning Vendor. <p> </p> <p> What's my problem with all this? For one, the certification process is rotten: </p> <p> <a href="http://blog.clearnetsec.com/articles/2007/05/16/pci-not-our-problem">http://blog.clearnetsec.com/articles/2007/05/16/pci-not-our-problem</a>. <br /> <a href="http://blog.clearnetsec.com/articles/2007/05/04/pci-misleading-racket">http://blog.clearnetsec.com/articles/2007/05/04/pci-misleading-racket</a> </p> <p> On top of that, it's costly and does little to vet engineers claiming competency. Its design is to weed out small security firms, which is probably why it fires me up in the first place and turns me into a cynical punk all day. </p> Tue, 06 Nov 2007 18:31:00 -0700 urn:uuid:db90642f-e6cc-4c61-9e9a-07ae12d31f9e tate@ClearNetSec.com (Tate Hansen) http://blog.clearnetsec.com/articles/2007/11/06/another-tidbit-on-pci Certification ClearNet ClearNet Security Tate Hansen PCI ASV visa <p> What happens when the test environment operated by MasterCard (they “own” the testing lab) is misbehaving? I know. They yank the wheel, swerve away from responsibility, and point to the PCI council. And PCI? They point back. Beautiful, no? </p> <img src="http://blog.clearnetsec.com/files/GiveMeTheCash.jpg" align="right"> <p> You see because they refuse to disclose missed results to you they duck responsibility for anything that may have been their fault. They also <b><i>clearly imply</i></b> if anything is missed in your attempts to identify vulnerabilities then it is surely <b><i>your fault or a problem with the tools you used</i></b>. </p> <p> I love it: No clear pass criteria, no way to challenge a decision, and no transparency of what or how <b><i>they are doing</i></b>. For all this great service you get to spend thousands every year! </p> <p> So what happens when you call bullshit and raise hell? They pass you. :) Let me not forget to mention we had a few extra bullets in our clip they may have unexpected us to have – bullets provided to us by friends with information. </p> <p> Be forewarned; this process has serious issues. </p> Wed, 16 May 2007 20:51:00 -0600 urn:uuid:4600bd3d-a833-44f1-8677-0ca85d8ea44a tate@ClearNetSec.com (Tate Hansen) http://blog.clearnetsec.com/articles/2007/05/16/pci-not-our-problem scanning security ClearNet ClearNet Security Tate Hansen vulnerability PCI ASV visa cisp mastercard testing