Announcement

**grantglendinnin** · 17-Feb-2009, 12:16 PM

Are you having a kitten?

Let's assume you've been sent by another one of the banks agencies. So what you're telling me is if I want to be PCI-DSS compliant, I have to pay you to regularly scan my site and produce issues that don't exist?

Pfft, these scam agencies can go spin

**TraceyHand** · 17-Feb-2009, 12:19 PM

Originally posted by bcomp View Post

Contrary to the popular misguided belief with members of this forum, using a PSP does NOT get you off the hook with PCI-DSS at all. A simple script injection on your own site could easily present your customer a phony PSP phishing page to and therefore you would not be PCI-DSS compliant and your company would be liable. You must also use SSL or appropriate operational and technological processes and procedures to protect data including but not limited to customer name, address and what they bought to safeguard against the unauthorised access or unlawful processing, or disclosure, of personal information.

and you are..??
And this information is based on...?
Your definitive backup proof and documentation is at www..... ?

No one is going to take any notice of you if you just come and post a block of 'words' like that, without backup information we can all study ourselves!

**Rich Brady** · 17-Feb-2009, 12:22 PM

Originally posted by bcomp View Post

present your customer a phony PSP phishing page

So you wouldn't be using a PSP would you?

**Mark H** · 17-Feb-2009, 12:43 PM

From the PCI website:

"Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data?

PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. However, under PCI DSS requirement 12.8, if the merchant shares cardholder data with a third party processor or service provider, the merchant must ensure that there is a contractual obligation for that third party processor/service provider to adhere to the PCI DSS and that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the third-party processor/service provider's compliance with PCI DSS via other means, such as via a letter of attestation."

For the avoidance of any confusion, the PAN is the big number on the front of the credit card.

**leehack** · 17-Feb-2009, 12:44 PM

Gavin with another guise protecting his commission?

**bcomp** · 17-Feb-2009, 01:04 PM

Originally posted by TraceyHand View Post

and you are..??
And this information is based on...?
Your definitive backup proof and documentation is at www..... ?

No one is going to take any notice of you if you just come and post a block of 'words' like that, without backup information we can all study ourselves!

And you are? It's not Rocket Science Tracey, if your site is not PCI-DSS compliant and hacked and your customer inputs data in to a phony PSP phishing page and there data is then in turn used for fraudulent activity you are liable not your PSP. I for one am less than willing to take the advice on matters of such importance such as PCI-DSS compliance and our liability from the "cough cough" ecommerce professionals who frequent these forums.

I would also suggest you contact your PSP assuming you are using one regarding your liability if in the event that your site is hacked and customer inputs data in to a phony PSP phishing page. Quite obviously your PSP will not be liable should this happen as the data was obtained from your site not theirs, perhaps that�s a little food for thought for you?

I would also suggest a good start for you regarding research would be https://www.pcisecuritystandards.org...i_dss_v1-2.pdf.

Originally posted by webD View Post

So you wouldn't be using a PSP would you?

And therefore be liable for the loss and damages.

Originally posted by Mark H View Post

From the PCI website:

"Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data?

PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. However, under PCI DSS requirement 12.8, if the merchant shares cardholder data with a third party processor or service provider, the merchant must ensure that there is a contractual obligation for that third party processor/service provider to adhere to the PCI DSS and that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the third-party processor/service provider's compliance with PCI DSS via other means, such as via a letter of attestation."

For the avoidance of any confusion, the PAN is the big number on the front of the credit card.

And this resolves the problem and removes your company from being liable should your site be compromised and your customer inputs data in to a phony PSP phishing page how exactly?

Yes if the system be working correctly, your site is not compromised and the customers data is obtained from the PSP they are liable but that does "not" cover you should your site not be compliant and is compromised and the customers data obtained from a phony PSP phishing page.

**Darren B** · 17-Feb-2009, 01:08 PM

Simon my advice to you is to go and study the PCI-DSS properly, then come back with the factual information

Mark already pasted the information, and you can read in to any documentation or legislation what ever you like.

**leehack** · 17-Feb-2009, 01:11 PM

These muddy waters just keep getting muddier.....

**Darren B** · 17-Feb-2009, 01:26 PM

Originally posted by leehack View Post

These muddy waters just keep getting muddier.....

Most of the time by companies trying to gain from it. I presume simon works for SM

I would surely love to see someone explain how they are going to make a script injection, im not saying it cant be done i would love to see how it is done on an actinic site.

**bcomp** · 17-Feb-2009, 01:30 PM

Originally posted by Darren B View Post

Most of the time by companies trying to gain from it. I presume simon works for SM

I would surely love to see someone explain how they are going to make a script injection, im not saying it cant be done i would love to see how it is done on an actinic site.

Are you telling me that there are not vunrabilities within for example, PHP, Apache, MySql, Cpanel, or Plesk that would allow hackers to change files on the server? Here is one example of a current security issue running on the cpanel forum :- http://forums.cpanel.net/showthread.php?t=62821

Here's an idea, how about an Actinic Payments spokesman letting us all know what liability they accept if a client using Actinic and Actinic Payments as their PSP are compromised and their customer inputs their credit card details in to a phony PSP phishing page from a hacked clients website and those details are then used fraudulently.

Who's liable, Actinic Payments or the website?

**grantglendinnin** · 17-Feb-2009, 01:56 PM

Simon, your argument is probably the worst I've read on the subject of PCI-DSS.

Somebody with the knowledge can easily hack a server, edit the html files as appropriate and send the unsuspecting customer to what you would describe as a 'phony psp' site - all within minutes. I know, I've seen it done - hence why I wouldn't recommend hosting security-purposed websites with Hostgator. That's another story.

What do your company (Not Bcomp 77 Ltd, they don't employ 'Simon') do - scan the site you're paid to security check on a constant basis, since hackers can strike within minutes, if not seconds?

**RuralWeb** · 17-Feb-2009, 01:56 PM

Ok so let's assume you work for sm and PCI has been applicable since last April why has barclays etc not suspended the merchant accounts of any actinic users.

**leehack** · 17-Feb-2009, 02:04 PM

Simon, where people like yourself fail so miserably is communication. You come on here talking about things, which could all be true and something we should all take advice from, however you get people's backs up by trying to tell us how right you are and how wrong we all are.

If what you say is true, then put your full name, your phone number, your email address, your company name and your web address for people to contact you and address any issues they may have. Anything less and you are not doing the job you think you are. Surely you have a moral and professional obligation to do this as a security expert?

Stop adding to the muddy waters and start solving them, cos you are not helping at all.

**Rich Brady** · 17-Feb-2009, 02:06 PM

Originally posted by leehack View Post

Stop adding to the muddy waters and start solving them, cos you are not helping at all.

Add my vote please?

*What? This isn't the wish list ooopps *

**Darren B** · 17-Feb-2009, 02:11 PM

Originally posted by bcomp View Post

Are you telling me that there are not vunrabilities within for example, PHP, Apache, MySql, Cpanel, or Plesk that would allow hackers to change files on the server? Here is one example of a current security issue running on the cpanel forum :- http://forums.cpanel.net/showthread.php?t=62821

Here's an idea, how about an Actinic Payments spokesman letting us all know what liability they accept if a client using Actinic and Actinic Payments as their PSP are compromised and their customer inputs their credit card details in to a phony PSP phishing page from a hacked clients website and those details are then used fraudulently.

Who's liable, Actinic Payments or the website?

Why actinic? your logic applies to others PROTX, World pay e.t.c

Im confused, so you agree every software has some form hole, i think we all accept that, but having a security scan then makes this all go away then? so you passed it on monday, cpanel / plesk, windows release a patch which has another hole in it on tuesday what happens for the next 3 months until your next scan? Are SM going to take the hit then, well they failed not the website or the PSP

So what you are saying is all the banks should pull the plug on every company that has not a security check carried out on their servers. Oh and in reality shared hosting is not going become compliant, so everyone needs to move to dedicated servers aswell.

Announcement

Weak SSL Ciphers on Remote Server - Help?!

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment