PCI compliance is a joke. We have had clients simply deny access to the IP of the originated scan to get by any issues after arguing that issues like XSS didnt mean anything. Also, PCI scans are just running Nessus. It dosent do squat for taking care of flaws in customized web applications which are where many flaws exist that lead to the disclosure of customer data.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/newsbriefs/481/1888#1888