Announcement

Collapse
No announcement yet.

Failed Security Metrics PCI DSS Test - Help!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Failed Security Metrics PCI DSS Test - Help!

    OK have already posted regards to the PCI DSS compliance we received. Barclays are using a company called Security Metrics and have done a scan on our website. The results I have attached. However I am unsure as to what they actually mean! Can anyone shed some light on this??

    What I dont understand is that am using Actinic Business v7 and yet the results have come back as FAILED on our website - which of course concerns me.

    Is this a fault with Actinic OR is this something to do with our web host?

    If anyone can shed any light on this I would be extremely grateful.
    Attached Files

    #2
    All but 1 appear to be server based. The Actinic issue looks to be from the search box ... in that it is allowing entry of data onto an HTTPS page... injecting strings into fields is a known entry point for hackers as the server response can provide info on what server / system you are running - enough to allow known vulnerabilities to be exploited. (turning off error reporting is often wise if you can)

    At what risk level do they stop you using their services? Some of the lower risks may be passable.


    Bikster
    SellerDeck Designs and Responsive Themes

    Comment


      #3
      Thanks for the reply Jont.

      To answer your question - Any issue with Level 4 or above is considered as failed.

      Im pursuing this will our webhosting company and this is the e-mail reply I received back from them. - Shocking to say the least.

      Hello,

      We found that the test you have done fails on 4 different factors. Following is an explanation of why these tests failed:
      1. PHP version : Please note that the server on which your domain is hosted is a shared server. If we upgrade the version to 5.2.5, many clients using the older version will require to make changes to their scripts. Thus we have dual php, so that clients who wish to use php 5.2 can do so via their plesk control panel.

      2. Mysql: All the domains hosted on the server are allowed to have mysql database and they should be able to access it from any location thus we cannot restrict access to database to allowed IPs.

      3,4. http and https on port 80 and 443 is required to run your websites on the server. Also we are running the latest version of IIS version 6.0
      So I have got SecurityMetrics themselves to thrash it out with our web hosting company, instead of either side using me as a middle man.

      We paid for the services of SecurityMetrics, so least they can do is contact our web host direct.

      Am at the moment waiting back from an e-mail i sent to both parties.

      Worse case scenario - We switch web hosts with a host that is PCI DSS compliant. Leads me onto my question - Anyone know of a host that is? What about Pinbrook ?

      Comment


        #4
        Originally posted by GAViN™©
        Anyone know of a host that is? What about Pinbrook ?
        I dont think Jo has a very high opinion of secure metrics

        D

        Comment


          #5
          ok the thing here is you are not going to get PCI compliant hosting on a shared server UNLESS the host is selling it as PCI compliant shared hosting. It simply is not possible. Your scan failed because it isn't a PCI compliant server, i'm suprised you even got the scan to work - one of my beefs with SM is they keep asking up to open pur ports/firewall/security to let them in to scan - we refuse as to us (taking the highground) if they can't get past to do a scan - well enough said - as well as the fact they do not need to scan our servers as all CC processing on on PSPs PCI compliant servers. PCI is all about risk to CC data, its storage and its transit - by using PSP this is taken care for you by the PSP. SM say they want to scan the website to ensure there are no vulnerabilities between you and the PSP, this is tosh all you need to declare is which PSP you are using.

          You have several options

          1 ditch security Metrics and go self certified (which you can for Level 4) and use PSP

          2 use US hosting for PCI as they are a few years ahead of the UK - where you will be still lucky to find PCI/shared

          3 find a UK based PCI shared server (we were going to offer this but probably will not due to the logistics of keeping it compliant whilst allowing people sufficient freedom to actually upload software/scripts - just imagine the risk to us -claiming PCI and a client uploads and insecure script, at the same time we get our 3 monthly scan - we lose compliance for all clients on the server due to the negligence of just one)

          4 go dedicated server

          Our advise to our current hosting base (Level 4) is self cert. Levels1,2,3 clients have gone for dedicated.

          Comment


            #6
            Hi,
            Thanks for the input really appreciate it, and the advice.
            I kind of got the impression not many people thought highly of Secure Metrics on here, but unfortunately its BarclayCard who use these, so we had no choice. I was just told secure metrics are going to be doing a security scan, blah blah...

            I obviuosly need to put some options forward to the boss...

            [QUOTE=pinbrook]
            1 ditch security Metrics and go self certified (which you can for Level 4) and use PSP [quote]

            Sounds like a good idea which i can put forward to the Boss, so how do we go about doing this? - To become self certified.

            4 go dedicated server
            Our advise to our current hosting base (Level 4) is self cert. Levels1,2,3 clients have gone for dedicated.
            Any recommendations? I dont want to get burnt again and give the boss options of useless hosting companies that offer dedicated server packages!

            Thanks, and wait in great anticipation for your reply!

            Comment


              #7
              Sounds like a good idea which i can put forward to the Boss, so how do we go about doing this? - To become self certified.
              this should all be i nthe info pack sent by Barlcays, if it isn't there are many PCI websites out there with all the info

              Comment


                #8
                as up says SM are talking out thier arse again.

                Comment


                  #9
                  here's the sticky on pcidss compliance

                  just bookmarking this to get it up in searches

                  http://community.actinic.com/showthread.php?t=36217

                  and of course get all pci in one thread - dream on

                  Comment


                    #10
                    O.K Hopefully can get this problem sorted out from this post I will write out now.

                    We were contacted by Barclays about being compliance with PCI DSS as we just recently setup our online ordering website.
                    My boss informed me that a company called Security Metrics would be performing some tests on our website and attempt to gain access to our server.

                    So at this point I was not aware that Barclays offer you the option of :

                    a) Doing Self-Assessment Questionnaire (which I assume is the Self Certification)
                    b) Using a BarclayCard Business Partner - SecurityMetrics do carry out tests
                    c) Use an Independant Assessor (not for us as we are Level 4)

                    So a and c was bypassed without my knowledge and boss has obviously gone with B. Because it states in teh letter from barclays that if you do the self assessment only and do not comply you will be liable for penalty costs.

                    So...

                    Security Metrics have done a test on the website and on our server. It passed the server test and failed on 5 vulnerabilities regarding the website. So these tests carried out on the website is testing the web hosting server.

                    With regards to the website handling credit card details we use a PSP (Secure Hosting) which are PCI DSS compliant.

                    The test results that came back regarding this security test on the website reads as follows:

                    SecurityMetrics has determined that this merchant is not compliant
                    with the PCI scan requirement for this computer. The computer fails
                    because a risk of 4 or more was found. You may not use the Security
                    Tested logo until the computer passes. Look in the Security
                    Vulnerabilities section below for instructions to reduce your security risk.
                    So am I right in thinking that even though this test has FAILED our website IS PCI DSS compliant.
                    It only means that we cannot use the securtiy tested logo on our website?

                    If the answer is YES then GREAT! lol.


                    We still on the secureitymetrics website have to complete the online self-assessment questionnaire which will in turn based on our answers inform us if we have passed.

                    I know for a fact there are some questions on this self-assessment that we do not adhere too for in-house (as we DO take mail orders and hold CC details in-house) but this is something else we need to address.

                    My concern at the moment is being compliant with the website.


                    Finally....

                    This security test that failed on the website has addressed the issue that the web hosting company we use are not security conscious and are vulnerable so this is something i need to address to my boss and give him what options he has. Whether he says with current host and accepts this, or moves to another shared hosting company where there is potentially less security risk OR switch to a dedicated server.

                    Am I right with everything i have written above?
                    Reason I ask this is because the security test failed on the site, my thinking was we have failed the PCI DSS test!
                    But having been given the full letter now from my boss I'm thinking I have been wrong!

                    Thanks

                    Comment


                      #11
                      So at this point I was not aware that Barclays offer you the option of :

                      a) Doing Self-Assessment Questionnaire (which I assume is the Self Certification)
                      I'd suggest you bail out of SM and go for a)

                      So am I right in thinking that even though this test has FAILED our website IS PCI DSS compliant.
                      technically your website doesn't need to comply as you do not do any CC processing on the website itself. You only need your CC processing to comply (ie PSP) - there is no transit of CC data between your website and the PSP (who will be compliant)

                      This security test that failed on the website has addressed the issue that the web hosting company we use are not security conscious and are vulnerable so this is something i need to address to my boss and give him what options he has. Whether he says with current host and accepts this, or moves to another shared hosting company where there is potentially less security risk OR switch to a dedicated server.
                      the test was performed on a non PCI compliant server so i would expect it to fail. You can't realisitically expect this host to comply as they aren't advertising the server as compliant. As previously stated you do not need your site to be scanned, this is just SM being daft. You are using Secure hosting for CC they ARE compliant

                      Comment


                        #12
                        "1 ditch security Metrics and go self certified (which you can for Level 4) and use PSP"

                        Just to be clear, if the merchant does not take or store CC details (eg over the phone), and only uses a PSP on their website, even this is unecessary?

                        Aquazuro - designer stainless steel accessories

                        Comment


                          #13
                          This isn't an issue for us (so far!) - we use Cardnet as our Merchant Provider and they aren't chasing anyone and our PSP is Secure Hosting.

                          But wanted to thank Gavin for taking the time to post the full details of his struggle so far and to Jo for clear insights - this will be usefull for all of us in the future I think.
                          Kind Regards
                          Sean Williams

                          Calamander Ltd

                          Comment


                            #14
                            Thanks Sean, it is nice to be appreciated from time to time

                            At present it seems the people who are being asked to comply are those using BMS. In time other merchant account providers will be asked to comply too.

                            "1 ditch security Metrics and go self certified (which you can for Level 4) and use PSP"

                            Just to be clear, if the merchant does not take or store CC details (eg over the phone), and only uses a PSP on their website, even this is unecessary?
                            if you have a merchant account you will still need to tell/show your provider how you comply. You will be contacted at some date in the foreseeable future.

                            Comment


                              #15
                              OK Regarding the vulnerabilities we have on the web hosting side of things, this is the reply i have had back from SecurityMetrics from Thursday (although I had to ring them yesterday to push on getting a reply back!).

                              Gavin,

                              The PHP issue is one that I could not have removed from the test for you with your permission. With the PHP vulnerability we just need to know that it is either up to date or that it is a patched version. I can do the same thing with the IIS vulnerability since your host has stated they have the latest Service Pack/Patch level.

                              To resolve the SQL database issue, according to PCI requirements, there can be no open database on the domain/IP we are testing (Technical and Operational Requirements for Approved Scanning Vendors (ASVs) Version
                              1.1 pg. 2-5
                              (https://www.pcisecuritystandards.org...SVs_v1-1.pdf)).
                              To overcome the open database port we offer two suggestions.

                              The first suggestion is to filter the port per IP by means of an access control list (ACL) at the firewall. If an ACL is not possible because of the many individuals accessing the port.

                              The second option could be providing accesses through a secure web interface to the database. If you have an alternative solution, resulting in closing/filtering the database port to the public, please let us know.

                              Additionally, MySQL suggests, in their General Security Guidelines, to have the port not accessible to "untrusted hosts" or the general public (http://dev.mysql.com/doc/refman/4.1/...idelines.html). If you do a find on the page, for "port 3306" the location will take you to a bullet point referring to firewall settings and blocking unknown hosts.

                              What this may really come down to is the fashion in which they give access to the MySQL. Is access given via a command line? Or is it through a web based application? Because if it is via a web based application then that wouldn't require that port to be open.

                              -Sam

                              --
                              Sam Monsivais
                              SecurityMetrics Technical Support
                              samjm@securitymetrics.com
                              UK Support 020.7993.8031
                              US Support 801.705.5700
                              I did send them a link to a PHP config file on our site that actually shows that we are using the latest version of PHP. So the statement above has confused me a little!

                              Comment

                              Working...
                              X