Announcement

Collapse
No announcement yet.

anyone passing security metrics scans?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    anyone passing security metrics scans?

    Hello,
    I am looking to move host as my domain is failing the security scans, and talking to my host about it is like talking to a brick wall. It seems that there are hosts who are responding to the tests and making the adjustments that are necessary to achieve passes for their clients. Reading the threads here I know that the general advice is to change from BMS, but if it is possible to move to a host that passes the tests, then that is preferable on the grounds of security (and I believe it will come to all eventually). I am currently looking at changing from shared hosting to a VPS (linux cpanel package) with a co-operative host.

    I would appreciate it if anyone who has gone through this and now has an actinic catalog site that is passing security metrics tests can share their host and package details, (if they can recommend them)?

    thanks
    Mark

    #2
    Do you use a PSP? Do you NOT take telephone orders? If the answer to both is yes, then stuff Security Metrics. You can complete a self assessment PCI questionnaire.
    Reusable Snore Earplugs : Sample Earplugs - Wax Earplugs - Women's Earplugs - Children's Earplugs - Music Earplugs - Sleep Masks

    Comment


      #3
      Enter stage left GAVIN

      Comment


        #4
        Lol @ Darren. Can't wait for the inevitable protracted discussion all over again.
        Reusable Snore Earplugs : Sample Earplugs - Wax Earplugs - Women's Earplugs - Children's Earplugs - Music Earplugs - Sleep Masks

        Comment


          #5
          Originally posted by guccij View Post
          Do you use a PSP? Do you NOT take telephone orders? If the answer to both is yes, then stuff Security Metrics. You can complete a self assessment PCI questionnaire.

          I do use a psp and I do take telephone orders.

          Hopefully there are others out there whose websites do pass the tests. I want to achieve that to, so I am interested to hear from those that are achieving it.

          Mark

          Comment


            #6
            Until Security Metrics come to your door lookin' like this, ignore everything they say, it's all bollocks.

            Comment


              #7
              There are loads of websites that do pass the tests. They tend to be the big ones though. For us, it was easier and cheaper to stop taking phone orders.
              Reusable Snore Earplugs : Sample Earplugs - Wax Earplugs - Women's Earplugs - Children's Earplugs - Music Earplugs - Sleep Masks

              Comment


                #8
                I do use a psp and I do take telephone orders.
                If you use a PSP then your server doesn't need to pass a test. (as long as the card details are taken on the psp's server, not yours)

                If you accept telephone orders and these are entered to your psp via your computer then your computer (not your server) has to pass an external scan.

                This has all been explained and discussed before in detail.

                Mike
                -----------------------------------------

                First Tackle - Fly Fishing and Game Angling

                -----------------------------------------

                Comment


                  #9
                  At the risk of repeating myself:

                  - case 1: take card payments by capturing card details at the PSPs web site, don't take phone orders. Just complete the documentation yourself. You don't need a Security Metrics scan of your web site.

                  - case 2: take take card payments by capturing card details at the PSPs web site, take phone orders by entering at the PSP web site (in Actinic Payments this is automatically linked, with Sage Pay use their virtual terminal). Get an EXTERNAL scan of your INTERNAL network from Security Metrics. You should have at least your windows firewall turned on on every machine so the external scan should show up clear. Make sure you have up to date virus protection on every PC. Complete the documentation yourself.

                  I agreed this with the PCI DSS Director at Barclays.

                  For anyone except a fairly large business, I wouldn't recommend any other approach than cases 1 & 2 above.

                  There is a more detailed version of this elsewhere on the community if you search.

                  Chris

                  Comment


                    #10
                    Originally posted by guccij View Post
                    There are loads of websites that do pass the tests. They tend to be the big ones though. For us, it was easier and cheaper to stop taking phone orders.

                    I had thought that it was only the big guys with dedicated servers that could pass the tests. However I saw a thread on the web suggesting that VPS hosted by eukhost would pass the scans, I approached them and they say they can do it- the costs no more than my current shared hosting account. seems too good to be true, but if it is.... I see there are a few offering very similar packages, I was just hoping someone here has already gone this route and could majke a recommendation.

                    Mark

                    Comment


                      #11
                      I would advise against as it gives a false sense of security. Just because you pass the test doesn't make you secure, and if you use a compliant PSP you do not need to pass these tests at your web site.

                      Just to be clear, if you pass the test, and someone hacks into your site and starts collecting card details, you will be liable. It's better to leave the problem with a PSP that specialise in security protection of card details.

                      Chris

                      Comment


                        #12
                        It can be done on any webserver, however it is not normally done because tightening up security for these scans could have a knock on effect to other customers when using shared hosting.

                        So if you want it and require it mosts hosts will only do it on a dedicated or VPS because the security has been adjusted to suit you and wont have a knock on effect with other users. The costs are the time it takes someone to read the problems understand them and make the changes. Alot of hosts have already done this so pretty much know what to turn on already so the cost is a few mins making changes to a standard setup.

                        Comment


                          #13
                          Originally posted by cbarling View Post
                          take take card payments by capturing card details at the PSPs web site, take phone orders by entering at the PSP web site (in Actinic Payments this is automatically linked).
                          This is your best option

                          Chris have you started this referal scheme yet

                          Comment


                            #14
                            Isn't the problem here that SM will insist on the server being secure even if it doesn't need to be because they are being pushed by the OPs bank/PSP?

                            Aquazuro - designer stainless steel accessories

                            Comment


                              #15
                              There were some posts a while back about someone actually getting some joy and understanding from Barclays and thus getting SM off their case. It might be worth searching for those posts if you're with Barclays.

                              Comment

                              Working...
                              X