tag:blogger.com,1999:blog-13756280.post7041601438541836398..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: PCI enforcement is about moneyJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-13756280.post-79261218304854295072007-03-26T22:07:00.000-07:002007-03-26T22:07:00.000-07:00Hey Mike, actually thats not how I meant that to r...Hey Mike, actually thats not how I meant that to read, but I can see how it would be confusing. I meant prior to 2006, they only had to scan for "network" layer vulnerabilities. Later, PCI included the need to scan "custom web applications" for things lists on the OWASP Top Ten.<BR/><BR/>Your remaining statements is my understanding as well.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-33176934334183401312007-03-26T19:04:00.000-07:002007-03-26T19:04:00.000-07:00In your SC article you mentioned "Up until 2006, v...In your SC article you mentioned "Up until 2006, validation of PCI-DSS compliance only required quarterly network vulnerability scanning, a service supplied by approximately 100 certified vendors."<BR/><BR/>This is not the case. In fact Level 1 merchants were required to have a vulnerability scan and on-site assessment as far back as 2004. What a merchant requires is based on their Level designation, which is defined by their acquirer or card association.Anonymousnoreply@blogger.com