Secure Payments, PCI DSS, Regulatory Compliance Blog

Nessus audit files and UK petitions to make PCI law

July 11th, 2007 by admin Posted in Compliance, Europe, Government, Legislation

nessus.jpgThe week has been quiet as people work vigorously on their PCI compliance projects. Here’s some things that might help you along.

Tenable Network Security, the company that brought you Nessus, has “produced two Nessus PCI configuration .audit files for both the Windows and Linux operating systems. These configuration checks are derived from specific recommendations and audit requirements based on the PCI 1.1 standard.

Check their blog for the audit files. These could help out with requirement 11.2 for internal vulnerability scanning. They even have a video online of how to install and use the files.

I don’t know anything about this but I came across a petition from Mark at port7. Apparently he has set up “a petition to the Prime Minister [in the UK] to make the PCI: DSS standards a legal requirement.

What are your thoughts on making PCI DSS a law? We have talked about this before.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 6 Responses to “Nessus audit files and UK petitions to make PCI law”

  2. By Mark Johnson on Jul 11, 2007

    Hi Mark here, author of the petition. I just thought it was needed. I am an IT Contractor here in the UK working on a PCI Compliance project for a retailer.

    I know various PCI projcets are strugling with company exec’s because they feel that PCI have no ‘teeth’ to make us do the work. And so if it was law, then that would be the ‘teeth’ needed.

    Thanks for the link anyway, hope you all sign it!

  3. By DAG on Jul 12, 2007

    I’m not saying that there should not be a law, but making someone else’s regulation into law can be a dangerous path to tread.

    Careful thought needs to be applied. Consider what happens when:
    - the regulation or which your law depends on changes? (i.e. A law based on changing PCI based on changing OWASP.)
    - one or more regulation requirements violate other laws? (ISO 17799 had jusrisdictional issues)

    And if you roll your own variant, how do you also avoid creating different branches and ultimately making compliance even harder?

    Perhaps there should be a law requiring more transparency around PCI compliance reporting and metrics? Such a law would keep out of the gory details and show how well each brands merchants and service providers are doing.

  4. By Sherman hand on Aug 3, 2007

    The only problem with these files is that you have a to be one of the “paid” Nessus users to get it.

    It would be nice for everyone to have acces to it.

  5. By Michael Dahn on Aug 3, 2007

    @Sherman, true this is for people who pay, but isn’t that the case for many companies? They have to support themselves and get paid just like you do.

  6. By Sherman Hand on Apr 9, 2008

    Don’t misunderstand me, I have no issue paying for things. I just really hate to see things from the open source world go this route. Also, having been in small organizations where there was little to no budgets, it would be nice if you could get it free.

  7. By Clement Dupuis on Apr 24, 2009

    Nessus used to be free and the community NEVER supported them like many people today don’t properly support other open source project.

    Over a period of many years they had only a few contributions. This is why they went the commercial route.

    Most people are leechers who never contribute anything back.

    Their license is not that expensive compared to other tools less mature. If you are a serious company or tester you buy it.

    Best regards

    Clement

Sorry, comments for this entry are closed at this time.