I'm afraid it was Comodo who came up with that one!
Robert
Robert
-
-
I had no problem with my Comodo scan, was it the same free one I used here:http://www.hackerguardian.com/hacker...free_scan.html, I assume it was a standard PCI scan and not a more involved one checking for other required vulnerabilities.
I think McAfee also do a free scans if you google 'McAfee free PCi scan' hwich might be worth trying.
Was the 'DNS Snooping' problem mentioned in an automated scan report or was brought up a Comodo staff member in an email or telephone conversation?Comment
-
Hi Darren,
"DNS Snooping" was brought up by the free scan.
Regards, RobertComment
-
Interestingly (well I thought it was), we "failed" the free Comodo scan but sailed through the paid-for SecurityMetrics scans.
As for DNS cache snooping, it looks as if there are solutions out there, for a price:
http://www.simpledns.com/kb.aspx?kbid=1250
I would have thought that a properly firewalled router would prevent this, or is that being naive?Comment
-
Hello again,
Thank you for all your help and support on this one.
I have spoken to www.nettitude.com in the UK and have been advised to stop using Actinic for offline orders and therefore cancelled our merchant account linked to this facility.
We can still be PCI DSS SAQ B compliant now without having a scan, just write down customers orders on bits or paper, envelopes preferably, and process through the pdq machine.
Will miss using our offline orders facility, but will sleep well tonight.
Regards, RobertComment
-
This sounds like more 'smoke and mirrors' for the security guys to try and sell their services.
From what I can, "DNS cache snooping' is just a way of querying a dns server to see if it's recently resolved a dns query from another domain.
i.e. by seeing if the dns server has the result in it's cache then you can tell whether someone from another domain has visited that domain recently.
So if you're using BT as your ISP then someone could potentialy discover that someone using BT has recently visited sagepay. But that's all it can do. It doesn't say which BT user it was, or what they did when they got there.
Using this though, they could potentially find out which PSP your website is using.
Alternatively, to save messing about, they could just read your sites Ts & Cs or place a test order.
It seems like total nonsense to suggest this as a security vulnerability. Just more nonsense from the security industry to try and convince people they need regular security scanning for their websites.
Mike-----------------------------------------
First Tackle - Fly Fishing and Game Angling
-----------------------------------------Comment
-
Has anyone come across any Policy/Procedure examples online? A client has now had the Arsenal Info through and is trying to satisfy their SAQ.
Thank you,
Rich
Army Gore-tex
Winter Climbing Mitts
webD's Blog: Website design, SEO and other ramblings…
Twitter LinkedIN
If you think a post is good, rate it!
Find the answers in the Knowledge Base | Have you read the User Guides
Comment
-
We've had a 'reminder' one from Streamline/Arsenal today.
TBH, I'm glad we don't do MOTO any more. It's more hassle than it's worth when it comes to PCI-DSS.
Even the SAQ A was a complicated process. Well, the form itself was actually OK but it LOOKED complicated and rather intimidating!
hopefully, that's us sorted for 12 months now, anyway
TraceyComment
-
I recently got the letter from RBS / Arsenal and completed the scan and SAQ and it showed compliant but then once submitted you wait to hear from the bank.
It seems a very messy process and instructions are vague, lets hope there is a universal organised solution instead of "security" companies cashing in on honest businesses trying to survive.Comment
-
You'd think it would be in the bank/PSPs best interest to walk their customers through the process. After all if a retailer decideds to ditch MOTO, as Tracey has, it will hit them in their respective pockets.
Army Gore-tex
Winter Climbing Mitts
webD's Blog: Website design, SEO and other ramblings…
Twitter LinkedIN
If you think a post is good, rate it!
Find the answers in the Knowledge Base | Have you read the User Guides
Comment
-
PCI DSS compliance, in theory, is a good thing, however when RBS get involved with third parties in soliciting additional money from merchants to become compliant I get annoyed.
RBS themselves made a mockery of the whole thing when WorldPay (an RBS product) failed to be PCI Compliant itself!!
I didn't hear of huge fines each month to RBS from VISA or Mastercard whilst they worked to become compliant again! Maybe something to do with the millions generated for VISA/MasterCard through WorldPay transactions? no? are you sure?!!!
As Chris stated, a lot of these scanning "authorities" work on mis-information to frighten merchants into taking/paying for actions that potentially are unnecessary.
Quick PCI nutshell review:
------------------------
- Use a payment service provider (PSP)
- If you take MOTO payments then you need to be able to "show" that no unauthorised personnel can access the card details at any time whilst you hold them.
Other than paying for a PSP there should be no requirement for you to spend any more money. Simply make sure your business process and IT systems meet the requirements of the standard - this you can do for free as well, with the right level of knowledge and information.
My tuppence worth....Fergus Weir - teclan ltd
Ecommerce Digital Marketing
SellerDeck Responsive Web Design
SellerDeck Hosting
SellerDeck Digital Marketing
Comment
Comment