The PCI industry has only itself to blame. The bureaucratic rules are vague enough to drive a truck through, and they accept worthless trash as a security scan to certify compliance.
Want to know how to pass a Trustwave scan? Suppress web server version strings. That's it. If you let it grab the version, it'll list EVERY vulnerability against that version of the software as if you're vulnerable, never-mind whether you're running a version that's patched the vulns, the vulnerable features are all disabled, and it's duly harded. But disable the version reporting, and you can have loads of unpatched vulnerabilities and rootkits everywhere. There is no ATTEMPT to check. That would cut into their profits, which then cuts into the kickbacks...
Biting the hand that feeds IT
