Announcement

Collapse
No announcement yet.

PCI DSS deep scanning issues

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    PCI DSS deep scanning issues

    Our site is regularly scanned by Trustwave to ensure we comply with PCI DSS.
    We accept that session cookies don't carry Card data; However, it seems that they can be hacked if the ID is easy enough to guess, also it seems that theycan help a hacker to control things.
    Can Actinic use longer cookie numbers or something to cure this issue?
    Quote from Trust wave:
    Predictable Cookie Session IDs
    The remote web application is using predictable cookie-based session IDs. Ideally, session IDs are randomly generated numbers that cannot be guessed by attackers. If the session ID is predictable, an attacker could hijack an active victim's session, allowing the attacker to interact with the server as though they were the victim. If the session ID is used to track the state of authentication, the session ID of an authenticated user could be guessed, bypassing any need for a username or password.

    This software needs to be either configured or modified to generate random session IDs.

    If this host is running ColdFusion, enable the 'Use UUID for cftoken' option on the Settings page in ColdFusion Administrator to produce CFTOKEN values with sufficient entropy as opposed to the 8-digit numbers that are used by default.
    End Quote

    #2
    You are capturing card details on your website. How are you managing to pass PCI ?
    Reusable Snore Earplugs : Sample Earplugs - Wax Earplugs - Women's Earplugs - Children's Earplugs - Music Earplugs - Sleep Masks

    Comment


      #3
      Hello Michael

      Welcome to the forum
      Re the PCI-DSS compliance issue, I have had a word with my colleague in development. As per guidelines, we as an e-commerce software company do not recommend collecting card details on the merchant website. As an alternative we suggest using Payment Service Providers which are far popular with merchants and customers alike.
      In addition the merchant's site does not need to be PCI-DSS compliant when using a PSP.

      W.r.t the information from Trust Wave, if a potential hacker gets to a shopper's session ID, they can max have access to the shopping cart(no private data), that too if they manage to get in when items are being added to cart, which is no more a security threat than an uncovered shopping trolley in a super market.

      Hope this helps explain.

      Regards
      Krithika Chandrasekar
      SellerDeck

      sigpic

      E-commerce software by SellerDeck

      Comment


        #4
        You effectively have to review (and fix) your firms: Paper work, disposal routines and then ensure that (for simplicity) no wireless technology is allowed (no possible conectivity to wireless devices would do it) within the offices or connectable storage devices (eg laptops and usb thingies). Then ensuresure that all PCs that connect to either or both actinic or the company database are on a secure LAN (you will need a programmable router to restrict use of the internet on as many PCs as possible; but allow Ms updates to all PCs).

        Next control visitors to the building(they may not be unaccompanied in any area where there are PCs). Ensure all staff have been CRB'd. Ensure that any card data temporaily stored is fully encoded (their can be lack of randomization on some encoding sytems - beware!) Next you have to check that your ISP is compliant on the personell, physical and electronic sides of things.

        Now you have to look to the server for your site - It's best that your firm is the only firm on the physical and virtual server as many functions that others might want need turning off. (It will be inspected (deep scanned) every month.

        You have to register with your bankers/card-aquirers (many actually try to make it virtually impossible) and prove your compliance by answering some 300 questions every year and maintaining standards.

        I could go on; but if you really feel that you must honour the service maxim of "we don't charge until we despatch" - then I guess you have little option but to think about becoming truly secure, compliant and paying the insurance up for any month you fail on a small point.

        Do you really wish to know the rest?

        Comment


          #5
          Hi Kirthi,
          We acknowledge fully that Actinic / Sellerdeck as an e-commerce software company must give a compliant answer and also that no card data is carried in Session IDs.

          However problem is about taking over the server (heavens knows how; but PCI gurus beleive there is a chance that it can be done). We had a a problem recently where address info had been blanked out (despite the fields being compulsory); but the card data got through so those cards had to be reported and stopped. It's a different issue but all security worries are important no matter how weird.

          An RAF motto to think on "Where there is doubt there shall be none".

          Comment


            #6
            Point for Krithika

            Even if you use a payment service provider and do not handle or access any card details in any form anywhere, you still have to be PCI compliant.

            This has somewhat annoyed me, but we have to complete a self-declaration form every year to show that we are compliant. It costs us nothing but time and annoyance and some postage and printing costs. It annoys me in that, if we have to do it, why does not everybody everywhere have to? Our bank charges a monthly fine if the form is not submitted on time every year. It is basically a form that we have to complete to say that we do not have to complete it!

            Sarah

            Comment


              #7
              if you really feel that you must honour the service maxim of "we don't charge until we despatch" - then I guess you have little option
              The other option offered by many PSPs now is 'Pre Authorise'. Essentially, they check and pre-authorise the card but don't take payment until you action it after shipping.

              Mike
              -----------------------------------------

              First Tackle - Fly Fishing and Game Angling

              -----------------------------------------

              Comment


                #8
                PS.

                The Session IDs are of the form:

                xxxZxZxZxxxA1346409401B24158.session

                which is the essentially the IP address plus a 16 character random sequence.

                How predictable do they believe the 16 character random sequence is?

                Mike
                -----------------------------------------

                First Tackle - Fly Fishing and Game Angling

                -----------------------------------------

                Comment


                  #9
                  Hello

                  Even if you use a payment service provider and do not handle or access any card details in any form anywhere, you still have to be PCI compliant.
                  This is strange because the compliance rules apply only if a merchant handles CC details somewhere in his/her business.
                  If a merchant has 2 sites one with CC details and one with PSP then both sites, merchant's office(s) and their networks have to be PCI-DSS compliant, but if the only retail outlet they have are websites using PSPs then you don't need to be compliant.

                  There are more details available on our website here.

                  Regards
                  Krithika Chandrasekar
                  SellerDeck

                  sigpic

                  E-commerce software by SellerDeck

                  Comment


                    #10
                    Originally posted by willowfabrics View Post
                    Do you really wish to know the rest?
                    I know the rest, don't worry. We are PCI compliant because we use a PSP. We could not possibly be if we did not.
                    Reusable Snore Earplugs : Sample Earplugs - Wax Earplugs - Women's Earplugs - Children's Earplugs - Music Earplugs - Sleep Masks

                    Comment


                      #11
                      Michael,

                      As mentioned you can charge on dispatch by using pre-authorisation. This is incredibly easy to do if you are using Actinic Payments as you simply press one button to action this while viewing the order.

                      I might add, although I couldn't possibly condone, the fact that the vast majority of the mail order community does not follow this particular card scheme rule. That applies if items are low value and are dispatched within a day or two.

                      One guy who runs a mail order company told me that they had shipped 18 million items that met this definition over several years and had (I think) 4 complaints about taking payment before dispatch.

                      Chris

                      Comment


                        #12
                        Compliance again, etc

                        According to the rules, we do not have to complete compliance documentation as we do not handle or access any card details in any form anywhere, but we have to do it because our bank fines us if we don't. Crazy. (We accept orders online only, using SagePay, no telephone orders, no mail orders, no faxed orders).

                        Regarding payment before despatch: it is considered OK as long as the goods are soon to be despatched. Obviously with any online retail shop, payment is taken before despatch. In our case, we despatch on the same working day, or the next working day if not a working day. Very occasionally we send an out-of-stock item later at our carriage expense if there was a stock quantity error online. Occasionally a customer asks for delayed despatch, wanting delivery on a particular day, and we oblige. We have never in 22 years had anybody complain about our taking payment (customer is making the payment rather than our "taking" it) before despatch.

                        Sarah

                        Comment


                          #13
                          Thank you all for the interst

                          I will go through all your points next week; but in adding to two large trading web sites,one retail (willowfabrics.com) and one wholesale(heebee-trade.co.uk). We have a shop, accept orders by telephone, fax and post in addition the online carts. (Only one takes cards)
                          Our sites run on a separate server with only our stuff on it and the remote terminal is always disconnected unless the server is being worked on.
                          We have many purchase-to-order items and despite £120k of stock still run out. We also have direct links to manufacturers who no longer carry stock in vast quantities and often have a manufacturing delay of up to 6 weeks. On occasion supply to us has been delayed by over 3months.
                          This may be aggravated by importing from Europe and the USA. We have looked at the things like actinic pay but it would most likely push us to extra staff.
                          Additionally we run pre-order schemes for article that may not be on the market for some months.
                          All of which cause PSPs to be deprecated!
                          I continue to listen and will answer all points next week.

                          Comment


                            #14
                            PCI-DSS Compliance Customer log in.

                            Hi
                            I am working through some 100 issues raised by this scan!
                            I have a number of Medium severity issues relation to my customer registration and log on

                            Since none of our customers log in I would like to remove the option but there is no tick box to enable me to do this. How do I do it? I have Business 9.

                            help appreciated
                            Brian

                            Comment


                              #15
                              Many Points

                              Sorry to be so tardy replying!
                              Kirthi, I agree it peculiar if you have two sites one using CC cards and one NOTbut thats the way of it.
                              BUT the annual form is filled in because we take cards for customer present and from customer that mail-in. Its then so complicated that one might just as well go the the whole hog and save the fixed 20p and the high % rates.

                              Session Ids I think trustwave is more worried about taking over the server than getting "a customers details". This why we remove the remote terminal facility; but I guess a good hacker could turn it on again and become the man in the middle..

                              ChrisWe started down the route of not charging until we sent the goods many years ago and it seems to be expected of us. Our back orders system allows for both "already paid" and "To Pay" naturally we pay the carriage out of our funds when we fail to send something with the main lot.
                              Some of our products cannot be sold in mixed production lots whicj means we are frequently forced to order in for the customer even though we have stock.

                              We have always be sensitive on the customer service, upfrontedness etc as any lost customers or complaints are dangerous in todays social media and belt tightening times.

                              Saucysal SarahI LIKE - (customer is making the payment rather than our "taking" it) but...
                              Form filling I too find it a pain but it reminds one to refresh the staff's minds and ones own there are also several levels some with more questions than others and stricter standards. By the way how are you informing the FBI in the event of an event? !!!!

                              Mike Hughes.My ISP feels that the bigger sites don't get caught on the guessabliity of session IDs as they process so many orders a min where as with 60 orders an hour the ID does not change very often?
                              We have looked at preauthorise but it seems just to add to the work load. I guess the next biggest problem after cost is the extra time PSP funtions use.

                              Happy Days to All

                              Comment

                              Working...
                              X