I have found that there are several website owners and hosting companies that are either misinformed or a little confused about the differences between PCI Scanning, Vulnerability Scanning, and a Penetration Test. Because PCI scanning is required for websites to be compliant with the Payment Card Industry (PCI), it’s important that those responsible for PCI compliance understand the differences. Acunetix Vulnerability Scanners will help.
To quote from the book “Achieving PCI Compliance” page 245,”A Vulnerability Scan is a simple test that looks for and reports on any vulnerabilities found within your network infrastructure. That is the extent of a vulnerability scan: Identification and reporting.
When dealing with string inputs it may be necessary on some occasions to allow the use of specific meta-characters. As an example, the tick should be allowed to be used in the surname filed so names such as O’Conner are accepted. In this case it would be advisable to accept the name and replace the apostrophe with two apostrophes before running it through the query or entering it in the database.
Changing Trends in What Motivates Hackers According to Zone-H, the top 50 attackers defaced a total of approximately 2.5 million websites all over the globe. According to the CSI/FBI Computer Crime and Security Survey 2005, one of the most dramatic findings was the exponential increase in website defacement experienced by their respondents: in 2004, 5% of the respondents experienced defacement while in 2005 that figure went up to 95%.
The Payment Card Industry requires that scans be performed by an Approved Scanning Vendor (ASV). These vendors perform the vulnerability scans, penetration tests, and PCI scans. Many online security sites offer PCI scanning as a service to their customers. Often, these companies have an ASV partner who does the actual scanning and who sends the compliance reports. To increase the value of their service, many of these security sites offer seals – small images – that are displayed on the websites that they scan through their ASV partner.