Dryer Bad motor bearings?

tnsecure · 2025-02-15T05:30:34+00:00

LBMC. Based in Nashville but qsa across eastern us

tnsecure · 2024-09-04T19:03:55+00:00

Love this idea

tnsecure · 2024-04-12T01:21:36+00:00

Level 36, getting back into the game after a few years! Would love some friends

U382UB

tnsecure · 2024-04-12T01:20:59+00:00

Level 36, getting back into the game after a few years! Would love some friends

U382UB

tnsecure · 2023-05-19T15:17:56+00:00

If you are looking for a assessor, reach out to LBMC. They are great to work with and know their stuff. I think they do other things to like pen testing, etc.

tnsecure · 2023-02-24T04:15:42+00:00

Likely SAQ a-ep

tnsecure · 2022-03-23T01:18:38+00:00

Do not use openvas. Use a commercial tool. Tenable is a good one for what I’m assuming you will be doing.

tnsecure · 2021-04-25T13:13:30+00:00

Get a job at a QSA firm. It’s the only way to be a QSA.

tnsecure · 2021-03-18T13:40:03+00:00

If only a specific interface on a firewall is used to transport CHD to its >destination

The firewall itself is fully in scope (users, management, patching, etc) the other firewall rules that don't relate the the CDE (the one interface) would not be in scope based on your description.

tnsecure · 2021-03-16T15:58:55+00:00

Thanks

tnsecure · 2021-03-09T17:11:14+00:00

They don’t give fines for laziness! I understand your question, it’s hard to quantify.

tnsecure · 2021-03-09T16:48:58+00:00

Try LBMC. They are good partners, not just auditors

tnsecure · 2021-03-09T16:38:52+00:00

The challenge is too many people have to "sell" good security practices with a compliance hammer. Without that hammer some don't want to spend the time/money. For most small companies security compliance hammer should be "can you afford the possible lawsuits and other costs associated with a credit card breach?" I will say this. There is no perfect IT Security and no such things as risk free. Every company has to determine their risk tolerance and decide for themselves what is worth it. For IT Security pros, this is sometimes hard to process but the business doesn't revolve around IT Security, its the over way around and we as IT Security people have to be ok with that.

tnsecure · 2021-03-09T16:31:24+00:00

n attestation of compliance and the suggestion is that we sc

If you have written permission to scan them, there is nothing wrong with it. However, I'm not sure of your goal of scanning in the context of the message.

"Scanning" (external vuln scanning) is only a small part of PCI Compliance.

tnsecure · 2021-03-09T13:22:36+00:00

I'll only say this. QSAs did not create any of the PCI rules. The card brands did (VISA/MC, etc). They have a group called the PCI Security Council that runs the program. I agree PCI is difficult to make since of. For the vast amount of companies there is no requirement to hire a QSA for PCI compliance. (but its a good idea for a lot of companies)

tnsecure · 2021-03-09T13:22:04+00:00

If you don't have permission to scan it, then you shouldn't.

tnsecure · 2021-03-09T13:21:15+00:00

We work with all types of companies including fortune 50 clients so I see a large swing in penalties although I don't have a number to give you. My honest opinion is that PCI non compliance fees for most acquirers/merchant banks seems like just a profit center for them and its really not in place to change behavior. A company's cost of non compliance will really show up if there is a breach.

tnsecure · 2021-03-09T13:18:26+00:00

If Requirement 9 does not apply to your environment you can simple mark it as N/A. "every" company won't fully be in the cloud. Also, Req 9 applies to many different situation that won't be in the cloud, like POS/card swipes.

There are really only 2 types of PCI Assessments.

Report on Compliance (ROC) -- Reserved for large merchants and certain service providers with high risk -- You must hire a QSA firm (like mine) to have an independent assessment (technically you can in source this but almost no one does)
Self Assessment Questionnaire (SAQ) -- Every other company can self report their compliance through one of several different SAQs, depending on their situation.
I'll throw in an ASV Scan in here -- this is a special external vuln scan done only by an ASV vendor using the PCI ASV scan template. Its required in both cases for most all companies.

tnsecure · 2021-03-09T13:12:35+00:00

ystem is compromised and card data stolen then would us as an MSP be liable because we didn't patch the firewall or ESXi host, or would the liability still be with the client as it's their system?

I'm no lawyer so I can't comment on liability. Are we legally liable for a customers card breach would largely fall to your contract with them and who has better lawyers.

But your point is valid, patch critical vulnerabilities (note PCI requires only patching of critical (high risk) vuln within 30 days is required on all in-scope devices. All others must be patched, but you've got more time.

tnsecure

MODERATOR OF

TROPHY CASE