All but 1 appear to be server based. The Actinic issue looks to be from the search box ... in that it is allowing entry of data onto an HTTPS page... injecting strings into fields is a known entry point for hackers as the server response can provide info on what server / system you are running - enough to allow known vulnerabilities to be exploited. (turning off error reporting is often wise if you can)

At what risk level do they stop you using their services? Some of the lower risks may be passable.

Thanks for the reply Jont.

To answer your question - Any issue with Level 4 or above is considered as failed.

Im pursuing this will our webhosting company and this is the e-mail reply I received back from them. - Shocking to say the least.

So I have got SecurityMetrics themselves to thrash it out with our web hosting company, instead of either side using me as a middle man.

We paid for the services of SecurityMetrics, so least they can do is contact our web host direct.

Am at the moment waiting back from an e-mail i sent to both parties.

Worse case scenario - We switch web hosts with a host that is PCI DSS compliant. Leads me onto my question - Anyone know of a host that is? What about Pinbrook ?

I dont think Jo has a very high opinion of secure metrics

D

ok the thing here is you are not going to get PCI compliant hosting on a shared server UNLESS the host is selling it as PCI compliant shared hosting. It simply is not possible. Your scan failed because it isn't a PCI compliant server, i'm suprised you even got the scan to work - one of my beefs with SM is they keep asking up to open pur ports/firewall/security to let them in to scan - we refuse as to us (taking the highground) if they can't get past to do a scan - well enough said - as well as the fact they do not need to scan our servers as all CC processing on on PSPs PCI compliant servers. PCI is all about risk to CC data, its storage and its transit - by using PSP this is taken care for you by the PSP. SM say they want to scan the website to ensure there are no vulnerabilities between you and the PSP, this is tosh all you need to declare is which PSP you are using.

You have several options

1 ditch security Metrics and go self certified (which you can for Level 4) and use PSP

2 use US hosting for PCI as they are a few years ahead of the UK - where you will be still lucky to find PCI/shared

3 find a UK based PCI shared server (we were going to offer this but probably will not due to the logistics of keeping it compliant whilst allowing people sufficient freedom to actually upload software/scripts - just imagine the risk to us -claiming PCI and a client uploads and insecure script, at the same time we get our 3 monthly scan - we lose compliance for all clients on the server due to the negligence of just one)

4 go dedicated server

Our advise to our current hosting base (Level 4) is self cert. Levels1,2,3 clients have gone for dedicated.

Hi,
Thanks for the input really appreciate it, and the advice.
I kind of got the impression not many people thought highly of Secure Metrics on here, but unfortunately its BarclayCard who use these, so we had no choice. I was just told secure metrics are going to be doing a security scan, blah blah...

I obviuosly need to put some options forward to the boss...

[QUOTE=pinbrook]
1 ditch security Metrics and go self certified (which you can for Level 4) and use PSP [quote]

Sounds like a good idea which i can put forward to the Boss, so how do we go about doing this? - To become self certified.

Any recommendations? I dont want to get burnt again and give the boss options of useless hosting companies that offer dedicated server packages!

Thanks, and wait in great anticipation for your reply!

this should all be i nthe info pack sent by Barlcays, if it isn't there are many PCI websites out there with all the info

as up says SM are talking out thier arse again.

here's the sticky on pcidss compliance

just bookmarking this to get it up in searches

http://community.actinic.com/showthread.php?t=36217

and of course get all pci in one thread - dream on

O.K Hopefully can get this problem sorted out from this post I will write out now.

We were contacted by Barclays about being compliance with PCI DSS as we just recently setup our online ordering website.
My boss informed me that a company called Security Metrics would be performing some tests on our website and attempt to gain access to our server.

So at this point I was not aware that Barclays offer you the option of :

a) Doing Self-Assessment Questionnaire (which I assume is the Self Certification)
b) Using a BarclayCard Business Partner - SecurityMetrics do carry out tests
c) Use an Independant Assessor (not for us as we are Level 4)

So a and c was bypassed without my knowledge and boss has obviously gone with B. Because it states in teh letter from barclays that if you do the self assessment only and do not comply you will be liable for penalty costs.

So...

Security Metrics have done a test on the website and on our server. It passed the server test and failed on 5 vulnerabilities regarding the website. So these tests carried out on the website is testing the web hosting server.

With regards to the website handling credit card details we use a PSP (Secure Hosting) which are PCI DSS compliant.

The test results that came back regarding this security test on the website reads as follows:

So am I right in thinking that even though this test has FAILED our website IS PCI DSS compliant.
It only means that we cannot use the securtiy tested logo on our website?

If the answer is YES then GREAT! lol.


We still on the secureitymetrics website have to complete the online self-assessment questionnaire which will in turn based on our answers inform us if we have passed.

I know for a fact there are some questions on this self-assessment that we do not adhere too for in-house (as we DO take mail orders and hold CC details in-house) but this is something else we need to address.

My concern at the moment is being compliant with the website.


Finally....

This security test that failed on the website has addressed the issue that the web hosting company we use are not security conscious and are vulnerable so this is something i need to address to my boss and give him what options he has. Whether he says with current host and accepts this, or moves to another shared hosting company where there is potentially less security risk OR switch to a dedicated server.

Am I right with everything i have written above?
Reason I ask this is because the security test failed on the site, my thinking was we have failed the PCI DSS test!
But having been given the full letter now from my boss I'm thinking I have been wrong!

Thanks

I'd suggest you bail out of SM and go for a)

technically your website doesn't need to comply as you do not do any CC processing on the website itself. You only need your CC processing to comply (ie PSP) - there is no transit of CC data between your website and the PSP (who will be compliant)

the test was performed on a non PCI compliant server so i would expect it to fail. You can't realisitically expect this host to comply as they aren't advertising the server as compliant. As previously stated you do not need your site to be scanned, this is just SM being daft. You are using Secure hosting for CC they ARE compliant

"1 ditch security Metrics and go self certified (which you can for Level 4) and use PSP"

Just to be clear, if the merchant does not take or store CC details (eg over the phone), and only uses a PSP on their website, even this is unecessary?

This isn't an issue for us (so far!) - we use Cardnet as our Merchant Provider and they aren't chasing anyone and our PSP is Secure Hosting.

But wanted to thank Gavin for taking the time to post the full details of his struggle so far and to Jo for clear insights - this will be usefull for all of us in the future I think.

Thanks Sean, it is nice to be appreciated from time to time

At present it seems the people who are being asked to comply are those using BMS. In time other merchant account providers will be asked to comply too.

if you have a merchant account you will still need to tell/show your provider how you comply. You will be contacted at some date in the foreseeable future.

OK Regarding the vulnerabilities we have on the web hosting side of things, this is the reply i have had back from SecurityMetrics from Thursday (although I had to ring them yesterday to push on getting a reply back!).

I did send them a link to a PHP config file on our site that actually shows that we are using the latest version of PHP. So the statement above has confused me a little!