PCI has run us away from cPanel

[knifeman]

Our server runs on Cpanel and the new pci rules concerning TLS are not compatible with Cpanel.

 

We have been using oscommerce for many years now and will surely miss the unlimited functionality and freedom to alter pages. It currently looks like we have no choice but to go to a hosted cart. :sweating:

 

 

cPanel Inc. said :

 

"We had a prior ticket last week about Trustwave asking for TLSv1 to be disabled. When it is disabled, older operating systems and clients quit working. This is beyond the browsers. Services such as IMAP and POP (Doeveot) and SMTP (exim) cease working in Windows 7 under Outlook 2007 and 2010. Those same services can quit working on Max OS X Mountain Lion and earlier. Basically, if you go down this path, it is likely email services will break for many users. TLS v1.0 is actually required for STARTTLS on some systems.

 

    As such, please be aware that services will break and there is nothing cPanel can do to get those older operating systems and clients to work. It will be the responsibility of the operating system provider or application to fix those services or the clients to update.

[♥Tsimi]

What is TLS? And what is PCI?

[knifeman]

What is TLS? And what is PCI?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store ortransmit credit card information maintain a secure environment.

 

TLS is application protocol-independent. Higher-level protocols can layer on top of the TLS protocol transparently. Based on Netscape��s SSL 3.0, TLS supercedes and is an extension of SSL. TLS and SSL are not interoperable.

 

If you are taking credit card payments via a website, you need to know these.

[Jack_mcs]

@@knifeman We use cpanel and have a number of members that pass their PCI scans. If your server only has TLS 1 then your host needs to upgrade the software on the server. But if that is not the case, as long as the site is not using TLS 1 the PCI companies should treat it as a false positive if they find in on the server. At least, that has been my experience with the various PCI companies, including Trustwave. Also, I'm not familiar with hosted carts but if the server they use have TLS 1 installed, you may be in the same situation with them.

[burt]

You are saying that a problem with cPanel is stopping you from using osCommerce ?

Why would you post a topic with this as the title "PCI has run us away from oscommerce".
Why not "PCI has run us away from cPanel".

Do you want me to fix it? The title of your post, not your cPanel.

[oscMarket]

The Volkswagen factory is closed, i therefore cannot drive anymore in my Jaguar!

 

 

 

 

[MrPhil]

 

We have been using oscommerce for many years now and will surely miss the unlimited functionality and freedom to alter pages. It currently looks like we have no choice but to go to a hosted cart.

 

Nonsense! First of all, your title is misleading... any cart on your site involving a merchant account (where PCI comes into play) is going to be affected, not just osC. Your problem is with your current host, who is out of date. Second, unless you're very high volume and a merchant account is by far the cheapest for you, nothing keeps you from using Third Party payment systems such as PayPal, etc., where you don't need PCI certification.

[knifeman]

@@knifeman We use cpanel and have a number of members that pass their PCI scans. If your server only has TLS 1 then your host needs to upgrade the software on the server. But if that is not the case, as long as the site is not using TLS 1 the PCI companies should treat it as a false positive if they find in on the server. At least, that has been my experience with the various PCI companies, including Trustwave. Also, I'm not familiar with hosted carts but if the server they use have TLS 1 installed, you may be in the same situation with them.

Thanks Jack,

 

The actual fail from trustwave is this:

This service supports the use of the TLSv1.0 protocol.

 

We have upgraded certs that do not use 1.0, but 1.0 is still on the server to run other things so the scan sees that it is supported and cries fail.

[burt]

Topic Title Edited to reflect the fact that this whole thread is nothing to do with osCommerce.

[Jack_mcs]

TLS 1 may stay on the server, depending upon how your host has it configured. The important part is what your site uses. The PCI company should be able to distinguish between the two and treat it as a false positive. If you test your site on this page you can tell if multiple TLS versions are present.

[knifeman]

Topic Title Edited to reflect the fact that this whole thread is nothing to do with osCommerce.

If it bothers you so much just have it deleted!

[knifeman]

TLS 1 may stay on the server, depending upon how your host has it configured. The important part is what your site uses. The PCI company should be able to distinguish between the two and treat it as a false positive. If you test your site on this page you can tell if multiple TLS versions are present.

TLS 1.2 Yes TLS 1.1 Yes TLS 1.0 Yes SSL 3 No SSL 2 No

host disable 1.0 on Saturday and broke my ssl to log in to the server, Also broke my ability to check e-mail with outlook.

At this time trustwave is saying 1.0 cannot even be present.

[Jack_mcs]

I don't understand why they are digging in their heels on this one but if they refuse to budge and your host can't solve the problem there are only two choices that I can see: change hosts or change PCI companies. Maybe if you told Trustwave that the problem isn't fixable, at least not without causing you a lot of other problems, and that you may have to use a different PCI company as a result, they may relent. Sometimes that works. They may want you to say you will accept responsibility for the TLS security hole but you are on the hook for it anyway so I don't see that that would matter.

 

I'll send you a PM about Trustwave and what a solution may be.

[clustersolutions]

Now, this is not making any sense to me...I run cPanel and OSC...

[knifeman]

Now, this is not making any sense to me...I run cPanel and OSC...

That is why i posted here in the osc forum. I do not know hosting and Cpanel and i was hoping for some input from others. Jack gave me some advice and some pointers. Several just laid down an attack on my post. I presume they took my post as an attack on OSC, which was not my intent.

 

I have been with the same host for many years. I have  dedicated server with Cpanel. I am not familiar with other options. So I thought I could share my experience with other osc shop owners that have Cpanel, maybe warn them, maybe get some advice. Really did not expect some of the responses I got.

[Mort-lemur]

@@knifeman Hi Tim,

 

 

Really did not expect some of the responses I got.

 

Planet OSC is a different place since you last visited...... I liken it to a well meaning military junta :)

 

I also run OSC and Cpanel and my pci scans (level 4) always pass (Security Metrics)