Payment Card Industry (PCI) scans are something I get to deal with every day where I am responsible for a data center with a high concentration of e-commerce webservers. For those who have yet to experience this phenomena allow me to explain a little about PCI scans. For an online retailer using, for example, Visa services it is a requirement to submit your website to periodic PCI evaluations or else risk falling out of favor with, in this example, Visa. So you sign up with a service, there are many available, and your website is analyzed on many different levels to determine potential security vulnerabilities. These range from known weaknesses in different versions of apache, mysql, php, openSSH, openSSL, Java, etc. Some of these scans return relatively simple information - your apache version has a known vulnerability, solution: upgrade to version X.

Other scans are so generalized as to be useless - better to send me an email telling me I might as well just spin a wheel and guess.

From a practical administration perspective I appreciate that card companies are attempting, through the mechanism of the PCI scan, to reduce fraud and ultimately improve the name of online credit card processing. And, as an admin, I am well aware that one means of ensuring a high level of compliance is periodically scanning these servers to ensure they are secure. On the other hand, when I get these useless vague scan reports I wonder if it's not also kind of a scam, especially when I call and they are either unwilling to discuss how the scan result came to be determined or if it's something they can't repeat.

Any thoughts?

Collegues of me are working in the PCI area as well. The bad thing about these checks is that anyone can run a 'tool' and present it's report. Taking such a report apart to tell the real problems requires in-depth knowledge and time. Both is expensive and therefore omitted in many cases.

But as a collegue said: 'Compliance check are not intended to make you happy, but to make the auditors happy.'

I find myself in the exact same role as the OP (I'm network and security admin for an e-commerce webhosting company), but the scans themselves aren't what I have a problem with. The scans (especially on shared servers we directly admin) reveal weaknesses our support personnel have tacked on (in the form of applications running with open sockets that clearly shouldn't be running on said machine) or firewall ports that were open and shouldn't have been (both of which I quickly pounce on.)

The Hackersafe scans to me aren't the problem (and before responding that we have cleaned up the mess, I scan from outside with a free copy of Nessus just to be sure)... the real problem are the questionnaires that they submit to us that we have to fill out on behalf of a customer. The questions are obvious and thus suggest the correct response to be had (like, "do you have a wireless router that is not secured?" or something similar), and they can be easliy lied about. Why even submit these to be filled out? It's like asking "Are you in compliance before we suggest that you are in compliance?" Who's going to say "No, we are wide open and ready for a massive exploit, now please give us your approval"?

If these silly questionnaires pass for some security check, then PCI compliance as I see it is a joke, at least at that level.