Are you looking to provide assurance that your organization is compliant with the PCI/DSS standard regardless of what your ASV or QSA says? Take a look at this useful toolkit for performing self-assessments!

Several of our clients are required to be PCI compliant. The truly frightening thing is that several of these customers have successfully passed the audit requirements conducted by a designated QSA or ASV yet even a cursory look reveals that their systems and environment are clearly non-compliant!

These customers have been left with a false sense of security and, in the end, will be holding the bag when it comes to a damaged reputation and perhaps liability if a compromise of PCI data is compromised. What can be done, and what can a QSA do to improve his practice?

From before the time that the original VISA Digital Dozen was shown to us while still in draft form we have had the tools in place to perform the requisite testing. In fact, the original drafters of the Digital Dozen actually attended one of our courses! The influence of the course, especially in the area of firewall configuration and security, is quite clear.

To assist in creating a technically repeatable and accurate test for the major technical requirements in the standard we have made available a suite of scripts that can be used in combination with Nmap, Nemesis, Nessus and OpenSSL to automatically score most of the technical controls required by PCI. The tools are available as a free download at the bottom of this page.

You are welcome to use these scripts at no charge. If you’re looking for a way to really learn what the requirements are, how to implement them and how to effectively use these and other tools for self-assessment we strongly recommend that you have a look at the SANS Institute course that we wrote for this purpose. You may also be interested in our course for Web Application Developers to satisfy the PCI requirement for “evidence of a training program” for techniques in secure coding.

Download Scripts