Announcement

**Rich Brady** · 25-Feb-2010, 02:59 PM

This is the thread for you:

http://community.actinic.com/showthread.php?t=34718

I have a client using AP with streamline and they've never been approached by Arsenal, who got them involved?

**Golf Tee Warehouse** · 25-Feb-2010, 03:09 PM

We use AP / Streamline and have also received a letter from Streamline / RBS Worldpay in the last few days.
Luckily I had already completed the SAQ C and passed a PCI network scan with Comodo/Hacker Guardian so only had to register with Arsenal Security Group and upload my SAQ and Scan Report free of charge.

I did email Streamline / RBS Worldpay to check whether the network scans were quarterly or annual as the Streamline Merchant Guide states only annual scans are required for Level 4 and quarterly for Levels 1-3 and got this reply:

Scans are required on a quarterly basis. Thank you for bringing this to our attention so we can update accordingly.

Please note that scans are only required for merchants completing Self Assessment Questionnaire C or D. It is simply a default field on the Arsenal portal

Robert if you are using a PSP and not using the virtual terminal, MOTO, etc you may not need the network scans.

**Robert Johnston** · 25-Feb-2010, 03:29 PM

Thank you Darren, that cheered me up no end!

Regards, Robert

**cbarling** · 25-Feb-2010, 04:09 PM

Also see the PCI DSS section within Services | Payments on the Actinic web site.

Chris

**Robert Johnston** · 25-Feb-2010, 04:40 PM

Originally posted by cbarling View Post

Also see the PCI DSS section within Services | Payments on the Actinic web site.

Chris

This was my first port of call and very helpfull.

We use Actinic payments MOTO so a network scan is necessary.

I initiated a scan of my Actinic hosted website, which failed, so am sticking with the network scan which fails because I need to replace my DNS.

I have no idea what this is so have called in a local netwoking company

Having done nothing else since 8am I am leaving it alone for now.

Thank you anyway, Robert

**Golf Tee Warehouse** · 25-Feb-2010, 04:51 PM

Originally posted by Robert Johnston View Post

I initiated a scan of my Actinic hosted website, which failed

If you are using a PSP I don't believe a scan of your website is necessary, although as you are using Actinic payments MOTO the network scan would still be required.

**Robert Johnston** · 04-Mar-2010, 02:33 PM

Sorry to keep banging on about this, but...

To pass the required PCI DSS scanning requirements I have been advised that I will need a dedicated server to achieve the correct level of security. The main problem appears to be that without a configured server "DNS Cache Snooping" is allowed.

Including updating our computers I have been quoted approx �10,000 and is simply not worth it for the level of business that the Actinic payments MoTo facility generates.

I cannot believe that I am the only Actinic customer not using a server, so how do you secure a network without all this and can anyone recommend a product to help with this?

**Golf Tee Warehouse** · 04-Mar-2010, 03:02 PM

I am not using a server and passed a network scan at the first attempt, so am surprised to hear of the cost necessary for your office network to pass.
I can understand the difficulty if you were trying to get the website to pass.

Who are you using for the network scan?

Do you have a dynamic or static IP?

I assume you have given the scanning company the IP of your office and not your website in error.

**Golf Tee Warehouse** · 04-Mar-2010, 03:21 PM

Where you given any more information about where the problem lies.
If the problem is with your ISP could switching ISPs solve the problem.

Are you running your own mailer server or allow access to your network from outside your office?

The details are way beyond my knowledge so unable to offer much help myself.

**Robert Johnston** · 04-Mar-2010, 03:30 PM

Hi Darren, to the rescue again.

I have a static IP address, which I have submitted to both Arsenal Security and Comodo. I do not run a mail server either.

My ISP, Opal Solutions have never heard of PCI DSS, so prehaps it's time to move!

Cheers, Robert

**Robert Johnston** · 04-Mar-2010, 03:33 PM

Originally posted by Golf Tee Warehouse View Post

Where you given any more information about where the problem lies.
If the problem is with your ISP could switching ISPs solve the problem.

Are you running your own mailer server or allow access to your network from outside your office?

The details are way beyond my knowledge so unable to offer much help myself.

Mind me asking what kind of router you are using? I could try a new one as a first stop.

Robert

**Golf Tee Warehouse** · 04-Mar-2010, 03:54 PM

Originally posted by Robert Johnston View Post

Mind me asking what kind of router you are using? I could try a new one as a first stop.

I currently have a Netgear DG834G.

It might be worth looking through the security options in your router to see if there are any options which you couldn't tighten up on, although I don't think this would effect the 'DNS Cache Snooping' (which I have not heard of before).

It might also be worth checking for open ports by using the free port probing service called 'Shields Up' at https://www.grc.com/x/ne.dll?bh0bkyd2 which will scan 1056 ports and hopefully will show all ports with a status of 'Stealth'

**cbarling** · 04-Mar-2010, 03:57 PM

Robert, the guys that are talking to you are either not properly informed, or are trying it on in order to get some fees.

I've been speaking to the people that head up PCI DSS in the banks and this stuff is NOT required in your situation. If they continue to press, then I suggest that you switch from Streamline to one of the other banks.

If you want to discuss this in more detail, please email me privately and I will give you a call. There was a similar problem with Security Metrics when they first started doing a similar job for Barclaycard. Barclaycard were very interested in the feedback they received through us on the messages that were going out. Several corrections later, the problem has gone away.

Maybe you can get your contact to view this thread and email me too. Then I can be sure what is being said before discussing it with the PCI DSS team at RBS/Natwest.

Chris

**Golf Tee Warehouse** · 04-Mar-2010, 04:03 PM

Robert,

Was it Arsenal Security and Comodo that mentioned the 'DNS Cache Snooping', etc.

I use Streamline and registered with Arsenal Security but didn't use their scanning and simply had to pass the Comodo Hacker Guardian network scan and upload the pdf format scan report to Arsenal.

Announcement

PCI DSS Compliance

PCI DSS Compliance

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment