Jump to content

Archived

This topic is now archived and is closed to further replies.

WoodsWalker

PCI compliance inspection - anyone gone through it?

Recommended Posts

PS: Here is the kicker, Elavon lets you be non compliant for $20.00 a month after March 2009. Does that smell fishy???

 

Yes, it does. <_<

Share this post


Link to post
Share on other sites
I am with BlueHost and there Unix/Linux server situation does not conform with PCI.
I also have my site hosted with BlueHost and I've received an affirmative PCI compliance report from HackerGuardian. I signed up for their free PCI compliance scan and it initially did not pass due to a false positive related to mod_FrontPage. BlueHost support assured me that the security mods had been backported to the version of mod_FrontPage that they are running. I passed this on to HackerGuardian and also informed them that, although BlueHost allows it, I do not nor will I ever have FrontPage Extensions enabled on my site. Shortly after making this report to HackerGuardian, they issued the affirmative compliance report.

 

I don't know if this has a bearing on your results or not but I do have a dedicated IP address and my own SSL certificate. I suggest that you have HackerGuardian run a scan for you and see what the result is. I realize that you may have already paid the $135 fee that Elavon says it will charge merchants for the TrustKeeper service (I haven't been charged yet) but using a different Qualified Security Assessor may be simpler in the long run.

 

Related to this topic, I have begun trudging through the Self-Assessment Questionaire D to figure out what I need to do to be able to honestly answer the questions in a manner that will ensure compliance. One of the questions asks if I have an Information Security Policy in place that addresses all of the DSS issues. At present, I don't have a written policy and don't relish creating one from scratch. Does anyone have a template or sample conforming IS policy that they're willing to share?


Don

Portland, OR USA

Share this post


Link to post
Share on other sites

Hi everyone,

 

First, I want to say thanks to Wendy for a truly great and informative thread. This has really helped me to get my head around the issues.

 

I've just been helping a Canadian client to sort these options out with Moneris (getting PCI compliance as you did versus using their hosted payment page). They've finally decided to go with Moneris' hosted payment page and one of the reasons is the following, which I thought may be useful information for anyone else exploring these issues.

 

According to Moneris tech support, it's perfectly acceptable to use a hosted payment page within an iFrame on your osCommerce installation (or any other page for that matter). This would enable us to keep our pages and URLs on our current site while still getting the advantage of offloading PCI compliance and liability to the Moneris server.

 

So, in our case, we're configuring the hosted payment page to look very simple... no images, no branding, plain white... and then we're including it into our site's pages as an iFrame and it's invisible to the visitor.

 

One important point though, in order to ease customer anxiety, is to still use SSL with a valid security certificate, so that the page used to include the iFrame will show as secure for the visitor while they're entering their info. You could still do it and it would work without SSL, but it wouldn't look secure.

 

Anyway, I know this isn't exactly on topic for your thread, but the issue of hosted payment pages came up enough in the discussion that I figured this might be helpful to some people.

 

Cheers,

Jade

Share this post


Link to post
Share on other sites

Thanks for the info, Jade! That really clears up the issue of how the Hosted Paypage implementation will look to the store customer. :)

 

I'm curious (I know this is a little off-topic) - I went with the Moneris PHP API instead of the Hosted Paypage because there was already an interface written for it, that was available via Moneris or even right here in Contributions. I just didn't know how to "connect up" the Hosted Paypage with the osC shopping cart. Has an interface been written, or did you do the coding yourself? Moneris Tech Support was no help to me on the, but then again, at that stage I just didn't know what to ask.

 

Thanks,

~Wendy

Share this post


Link to post
Share on other sites
[...]it's perfectly acceptable to use a hosted payment page within an iFrame on your osCommerce installation
If you choose to do this, you should be aware that some customer's will be using browsers that block all IFRAME use. This is generally a wise thing to do since miscreant hackers can use IFRAME via a poisoned website to download a trojan to your computer. I use FireFox with the NoScript plugin that, among other things, blocks IFRAME constructs. Generally speaking, if I visit a website that requires the use of IFRAME (or requires popups to be enabled) in order to place an order I usually move on to another alternative site.

 

IFRAME=<lost sales>


Don

Portland, OR USA

Share this post


Link to post
Share on other sites
I also have my site hosted with BlueHost and I've received an affirmative PCI compliance report from HackerGuardian. I signed up for their free PCI compliance scan and it initially did not pass due to a false positive related to mod_FrontPage. BlueHost support assured me that the security mods had been backported to the version of mod_FrontPage that they are running. I passed this on to HackerGuardian and also informed them that, although BlueHost allows it, I do not nor will I ever have FrontPage Extensions enabled on my site. Shortly after making this report to HackerGuardian, they issued the affirmative compliance report.

 

I don't know if this has a bearing on your results or not but I do have a dedicated IP address and my own SSL certificate. I suggest that you have HackerGuardian run a scan for you and see what the result is. I realize that you may have already paid the $135 fee that Elavon says it will charge merchants for the TrustKeeper service (I haven't been charged yet) but using a different Qualified Security Assessor may be simpler in the long run.

 

Related to this topic, I have begun trudging through the Self-Assessment Questionaire D to figure out what I need to do to be able to honestly answer the questions in a manner that will ensure compliance. One of the questions asks if I have an Information Security Policy in place that addresses all of the DSS issues. At present, I don't have a written policy and don't relish creating one from scratch. Does anyone have a template or sample conforming IS policy that they're willing to share?

 

 

Don,

 

I am a little late responding to your post, the issue frustrated the heck out of me. I have contacted BlueHost and some of the issues seem to be resolved. But I am looking at the scan, not exactly a script writer and the issues leave me mostly puzzled.

 

I passed the questionnaire 100% but the scan has still at least 4-5 non compliant errors. The problem is. I am trying to run a business here and don't have the time to brute over linux/unix ssl problems.

 

So for the next few months i will just pay my fees (may I cal them bribes, compliance for $20.00 a month, depending on your processor).

 

The other option is to use a host that is PCI compliant, but most of their hosting fees are more than that $20.00 a month that my processor is asking for... and their server space is lousy.

 

In the meantime I am trying what you are doing complying a little every scheduled Elavon/TrustKeeper scan and pay my dues at this so called safety game.

 

Good Luck...

 

Wolfgang

Share this post


Link to post
Share on other sites

Hi Wolfgang,

 

I'm not a BlueHost user, but most of the folks here seem to feel that BlueHost has pretty good customer service. I would simply forward the results of the latest scan to them and ask them to fix the remaining issues or alternatively to write down a simple explanation of why they are not actually security issues. These explanations may satisfy your QSA and you will receive a full pass (and save your $20 per month).

 

I agree it's a bit of a safety "game", but courage! Don't give up!

 

~Wendy

Share this post


Link to post
Share on other sites
Hi Wolfgang,

 

I'm not a BlueHost user, but most of the folks here seem to feel that BlueHost has pretty good customer service. I would simply forward the results of the latest scan to them and ask them to fix the remaining issues or alternatively to write down a simple explanation of why they are not actually security issues. These explanations may satisfy your QSA and you will receive a full pass (and save your $20 per month).

 

I agree it's a bit of a safety "game", but courage! Don't give up!

 

~Wendy

 

 

Thanks Wendy,

 

I did that already and Bluehost gracefully responded, they indeed have a good customer service and I would love to stay with them.

 

They did address all the problems of the scan and I forwarded their response to TrustKeeper, got one issue dismissed. They did not accept three of Bluehost's explanations.

 

So I just play the game, at my next scan I will forward it to Bluehost again and than the response to TrustKeeper till on of them gives...

 

I got till March to comply, in the meantime I have Google Checkout working, always had Paypal and if worse comes I can run my sales that way.

 

I also have a Elavon terminal here at the nursery, which I could use by typing numbers in, but collecting cc-numbers is actually what we all trying to avoid.

 

So thanks again... I am not giving up easy.

 

Wolf

Share this post


Link to post
Share on other sites
I passed the questionnaire 100%.
Which questionnaire did you use? As best I could determine, we online merchants must use the more involved SQA-D and mark appropriate entries with "does not apply". Under my interpretation of the questions of SQA-D, however, I need to have several written policies in place that cover all of the issues addressed by the PCI compliance process. I sure would like to get a set of sample policies to use as a starting point.

Don

Portland, OR USA

Share this post


Link to post
Share on other sites

Hi all,

 

I am not tech savvy so I can't give specific tech support but I can tell you our experience. We are hosted by iPower (I am not recommending them to anyone but that is who we are with). They were not helpful as far as PCI Compliance goes and they were not updated as to whom needed to be PCI Compliant. That being said, I never have had up time issues with them etc. so I bit the bullet and worked out my PCI issues at that time myself.

 

I paid a company called Security Metrics (through my merchant account) and failed my first scan of my website. We talked to so many tech people, merchant people, our bank merchant tech people on and on and found out that the problems we were having would still exist even if we sent all our customers to PayPal so that was not an easy fix.

 

We were recommended many times to use a gateway but we are not a big company, our web sales only account for 10% of our business so a gateway was outrageously expensive and would not be an answer either.

 

So, I dug in with both hands, followed some oscommerce support threads and fixed the issues with my site and passed my next scan. We were so happy....then the other shoe fell, we were just scanned again for our quarterly check and low and behold now there is a new problem and once again we failed our scan, after being compliant for 4 months. We were told it was upgrades...except when putting in the error and risk verbiage, I found that others had this issue in 2006.

 

Bottom line, it is a money making racket and a lot of bunk for nothing. This new "risk" is only something that our host provider can fix! It has to do with our SSL certificate and socket layer credentials. *Whatever* it all comes down to this, Visa/Mastercard are tied in with merchant companies, who are tied in with PCI compliant security companies, who are all shoving their hands in our pockets. You see, if you are not PCI compliant, you pay your merchant a minimum of $20.00 per month until you are compliant, most of that fee goes right to Visa/Mastercard. Also, if you keep passing all your scans, you may get complacent and not keep paying a scanning company... So, it is in credit card processing companies and visa/mastercard's financial interest to continue to screw with you and keep failing for new reasons.

 

Any why are we all going through this? Because Macy's, JCPenny, Sears, and a number of other gigantic companies had hackers get into their credit card databases. Not even the same databases that we all use.

 

So, why write this post, be ready for a long on-going problem with PCI compliance. If you are small fish like us, it will be an agonizing situation!

 

-KDB

Share this post


Link to post
Share on other sites

Hi KDB,

 

I'm sorry you have had so much trouble. I agree that it appears to be a racket. Doing business has been fraught with similar rackets since the dawn of time. Some of them have been called "protection rackets" - where you had to pay the local thugs, or they would stop you from doing business.

 

How is this different? I dunno. If it gets too bad, some new thugs will surely come along with a "cheaper" solution.

Share this post


Link to post
Share on other sites

PCI DSS 6.6 requires you to secure your code from vulnerabilities and the other option is to install a web application firewall on your server.

 

 

Let me know if you have questions about it,

 

Tomer

Share this post


Link to post
Share on other sites

×