As part of our PCI Compliance Project, we are working with different scanning vendors to test who has the most user friendly, cost-effective and reliable services. We’ve finalized our list and will start scanning soon. Just wanted to share some initial impressions of the sign-up process with the vendors.
If you search in Google for PCI scan, you will turn up many scanning services and there must be at least 50-60 on the PCI site’s ASV list. So the first thing for us was to whittle down the choices.
Our initial screening criteria included:
- Well Known Brand/Company
- Pricing Publicly Available on Website
- Global Scope
- Must be on AVS List
- Clear Product Descriptions
Using these criteria, we select four vendors:
ScanAlert and HackerGuardian both have larger companies behind them. This was important as PCI scans are ongoing. You don’t want to learn how the vendor’s processes work only to find them out of business in a year. If you go through the AVS list, there are several dead links. SecurityMetrics and ControlScan are market leaders. I think Yahoo! Stores has a deal with SecurityMetrics which means they will always have a good client base. ControlScan has been around for a number of years. So if you go with any of these four companies, you can reasonably expect them to be around in a couple of years.
Signing up with each vendor had its own process. Where possible, we used a free audit option, so the free sign-up may be a little different than a paid sign-up.
Sign up was completed within 24 hours and we had our account for scanning. They have a strong sales-oriented process. I suspect this was due in part to our use of their free trial and also potential partnership opportunities. We’ve had several calls in one week from sales and technical. This may be good if you have a lot of questions about PCI scanning, but for us it was somewhat annoying. The did automatically run our first audit for us. This could be a plus if you want to get started quickly.
Probably the easiest to get started. We just had to call in to verify the IP we were scanning to activate the account. There was some confusion as we had entered an IP and not a domain name, but otherwise they sorted it out. Took about 2 business days to complete the enrollment and verification process. Once the sign-up was completed, you can easily run the scan online. Our scan was done on-demand and we are awaiting the results.
Cumbersome sign-up process. I think they are using the same provisioning process that they use for some of the SSL certificates. As a result, we had to send in verification documents by uploading them to their helpdesk (you can also fax them). Once verification was completed, we received an email saying our certificate order was complete — funny as we did not order a cert. This could just be new product issues but their price point of $79 may be worth a few one-time headaches. My account is now ready and we’ve requested the first scan.
They do not offer free scans by default. So we are trying to arrange one. We’ve yet to hear from them despite a couple of requests. I emailed them again today and may need to call. We’ve used them for a number of years, but lately I found email-based support to be lacking. Phone support is often much better.
For the first three vendors, I have started the initial audit. The first pass is just on a plain CentOS 5 server with a default server installation and Plesk 8.3 installed. I hope to get a chance to look over the results in the next few days.