Announcement

Collapse
No announcement yet.

PCI DSS Compliance

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    PCI DSS Compliance

    I was wondering if anyone can help with this or shed any light. I always thought Actinic was PCI DSS Compliant? We Use Actinic V9, Actinic Hosting and Actinic Payments. Our bank the HSBC require that https://www.securitymetrics.com/ test our website www.meechs.co.uk to make sure we are compliant.

    Below is the list of failures we have had. Does anyone have any tips or advice to get this sorted? I am very worried about this and need to get it sorted as I am going away on my first hoilday in 15 years on Monday.

    Below is the list of failures:

    Security Vulnerabilities Solution Plan
    The following section lists all security vulnerabilities detected on your system. All vulnerability risk scores 4 or greater are marked in red and must be resolved to become PCI compliant. Denial-of-Service vulnerabilities are also marked in red but they do not affect your PCI compliance status. Each vulnerability is ranked on a scale from 0 to 10, with 10 being critical. PCI Risk Table

    Security Vulnerabilities
    Protocol Port Program Risk Summary
    TCP 443 https 5 Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits. Solution: Reconfigure the affected application if possible to avoid use of medium strength ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) [More]
    [Hide]

    TCP 443 https 5 Synopsis : The remote server's SSL certificate has already expired. Description : This script checks expiry dates of certificates associated with SSL- enabled services on the target and reports whether any have already expired. Solution: Purchase or generate a new SSL certificate to replace the existing one. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N) [More]
    [Hide]

    TCP 443 https 5 Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers .html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) [More]
    [Hide]

    TCP 465 urd 5 Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits. Solution: Reconfigure the affected application if possible to avoid use of medium strength ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) [More]
    [Hide]

    TCP 465 urd 5 Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers .html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) [More]
    [Hide]

    TCP 465 urd 5 Synopsis : The remote server's SSL certificate has already expired. Description : This script checks expiry dates of certificates associated with SSL- enabled services on the target and reports whether any have already expired. Solution: Purchase or generate a new SSL certificate to replace the existing one. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N) [More]
    [Hide]

    TCP 8443 pcsync-https 5 Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits. Solution: Reconfigure the affected application if possible to avoid use of medium strength ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) [More]
    [Hide]

    TCP 8443 pcsync-https 5 Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers .html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) [More]
    [Hide]

    TCP 993 imaps 5 Synopsis : The remote server's SSL certificate has already expired. Description : This script checks expiry dates of certificates associated with SSL- enabled services on the target and reports whether any have already expired. Solution: Purchase or generate a new SSL certificate to replace the existing one. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N) [More]
    [Hide]

    TCP 993 imaps 5 Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers .html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) [More]
    [Hide]

    TCP 993 imaps 5 Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits. Solution: Reconfigure the affected application if possible to avoid use of medium strength ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) [More]
    [Hide]

    TCP 995 pop3s 5 Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits. Solution: Reconfigure the affected application if possible to avoid use of medium strength ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) [More]
    [Hide]

    TCP 995 pop3s 5 Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers .html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) [More]
    [Hide]

    TCP 995 pop3s 5 Synopsis : The remote server's SSL certificate has already expired. Description : This script checks expiry dates of certificates associated with SSL- enabled services on the target and reports whether any have already expired. Solution: Purchase or generate a new SSL certificate to replace the existing one. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N) [More]
    [Hide]

    TCP 443 https 4 Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) [More]
    [Hide]

    TCP 465 urd 4 Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) [More]
    [Hide]

    TCP 8443 pcsync-https 4 Synopsis : The remote web server is vulnerable to a cross-site scripting attack. Description : The remote web server fails to sanitize the contents of an 'Expect' request header before using it to generate dynamic web content. An unauthenticated remote attacker may be able to leverage this issue to launch cross-site scripting attacks against the affected service, perhaps through specially-crafted ShockWave (SWF) files. See also : http://archives.neohapsis.com/archives/b ugtraq/2006-05/0151.html http://archives.neohapsis.com/archives/b ugtraq/2006-05/0441.html http://archives.neohapsis.com/archives/b ugtraq/2006-07/0425.html http://www.apache.org/dist/httpd/CHANGES _2.2 http://www.apache.org/dist/httpd/CHANGES _2.0 http://www.apache.org/dist/httpd/CHANGES _1.3 http://www-1.ibm.com/support/docview.wss ?uid=swg1PK24631 http://www-1.ibm.com/support/docview.wss ?uid=swg24017314 Solution: Check with the vendor for an update to the web server. For Apache, the issue is reportedly fixed by versions 1.3.35 / 2.0.57 / 2.2.2 for IBM HTTP Server, upgrade to 6.0.2.13 / 6.1.0.1 for IBM WebSphere Application Server, upgrade to 5.1.1.17. Risk Factor: Medium / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE : CVE-2006-3918, CVE-2007-5944 BID : 19661, 26457 Other references : OSVDB:27487, OSVDB:27488, OSVDB:38700 [More]
    [Hide]

    TCP 8443 pcsync-https 4 Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) [More]
    [Hide]

    TCP 8880 cddbp-alt 4 Synopsis : The remote web server is vulnerable to a cross-site scripting attack. Description : The remote web server fails to sanitize the contents of an 'Expect' request header before using it to generate dynamic web content. An unauthenticated remote attacker may be able to leverage this issue to launch cross-site scripting attacks against the affected service, perhaps through specially-crafted ShockWave (SWF) files. See also : http://archives.neohapsis.com/archives/b ugtraq/2006-05/0151.html http://archives.neohapsis.com/archives/b ugtraq/2006-05/0441.html http://archives.neohapsis.com/archives/b ugtraq/2006-07/0425.html http://www.apache.org/dist/httpd/CHANGES _2.2 http://www.apache.org/dist/httpd/CHANGES _2.0 http://www.apache.org/dist/httpd/CHANGES _1.3 http://www-1.ibm.com/support/docview.wss ?uid=swg1PK24631 http://www-1.ibm.com/support/docview.wss ?uid=swg24017314 Solution: Check with the vendor for an update to the web server. For Apache, the issue is reportedly fixed by versions 1.3.35 / 2.0.57 / 2.2.2 for IBM HTTP Server, upgrade to 6.0.2.13 / 6.1.0.1 for IBM WebSphere Application Server, upgrade to 5.1.1.17. Risk Factor: Medium / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE : CVE-2006-3918, CVE-2007-5944 BID : 19661, 26457 Other references : OSVDB:27487, OSVDB:27488, OSVDB:38700 [More]
    [Hide]

    TCP 993 imaps 4 Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) [More]
    [Hide]

    TCP 995 pop3s 4 Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) [More]
    [Hide]
    www.meechs.co.uk
    Tags: None
    #2
    As you are using a PSP a scan of your website is not required for PCI-DSS compliance. This has been discussed before so probably worth reading through a couple of the large threads on the forum related to this topic as I am sure this exact same issue has been brought up particularly in relation to Security Metrics, along with suggestions on how to approach SM on the matter.

    Actinics advice on PCIDSS can be found at http://www.actinic.co.uk/services/pci-dss.htm
    Darren Guppy
    Golf Tee Warehouse
    Golf Tees and Golf Accessories.

    Comment

      #3
      You are using Actinic Payments - you do not need to pass security checks on your site.

      Comment

        #4
        Thankyou for the reply's.

        From what I understand Meechs falls under SAQ validation type 4 as we take telephone orders and process them through the Actinic PSP.

        Under Actinic guidlines it states we need to fill out SAQ C form and have an external scan carried out.

        The scan we have paid for and had carried out has failed. But as far as I can see the points mentioned in earlier post are not things we can sort from this end.

        I am also still a little confused as to why we would fall under SAQ type 4 becuase we do not process the telephone orders via PDQ we process them through Actinic PSP thus negating our responsiblilty for being compliant with payments.

        Andy
        www.meechs.co.uk

        Comment

          #5
          If you take telephone orders you require a scan of your office network and NOT your website, which is much easier to pass, providing you have decent firewalls, etc.

          If you take telephone orders, you need to comply with the extra requirements because although you process the card details through Actinic Payments you may be writing the details down on paper and you will be typing the details into your computer to transmit them to AP and are therefore vulnerable to keyloggers, etc hence the requirements relating to Anti-Virus/Anti-Malware software etc and having procedures to ensure card details are not stored and anyhting written down is shredded, etc.
          Darren Guppy
          Golf Tee Warehouse
          Golf Tees and Golf Accessories.

          Comment

            #6
            Thankyou so much for that advice. Have been on the phone to securitymetrics and explained and they are now rescanning my network not my website.

            Thanks again
            Andy♠
            www.meechs.co.uk

            Comment

              #7
              Our bank HSBC has written advising of compliance requirements - however they require proof we are compliant otherwise they will apply a £20 per month non compliance fee. :-(

              We use PSP. Although we have the capability to accept telephone orders we have never had any. If we simply deactivate that option in our checkout will that be enough to ignore that side of it or do we need to do something i else?

              D

              Comment

                #8
                Only online

                Hello D. We only accept orders placed by the customers online through SagePay. This way we just had to fill in a self-certifiing form for pci compliance with no fees to pay anyone. We considered it not worthwhile, as we received so few telephone orders anyway, to pay every year for an audit of our systems and the hassle involved. We also found that people wanting to place telephone orders, having been on our website as that is our only shop-front, were usually trying to avoid the 3D-Secure system, which is there to protect cardholders against fraud and to protect ourselves. Accepting payments by telephone to avoid this made nonsence of the 3D-Secure, and as well as the Third Man fraud checks. In addition to this, there was extra work in processing the telephone orders, though this was a comparatively minor consideration. We have found that as people have become more accustomed to 3D-Secure, now on most shopping websites, they are getting more adept at it and we can fewer requests to order by telephone.
                Sarah

                Comment

                  #9
                  Thanks Sarah. I think we will take the same approach. Did you have to delist from taking phone payments with the bank or did you just stop taking those orders by removing the option from checkout?

                  Derwent

                  Comment

                    #10
                    You will have to contact the bank to let them know what you do, they have asked you for proof of compliance. As others have said if you now only do online payment via psp then you can self certify .

                    But the bank won't know this until you tell them.

                    Comment

                    Previous template Next
                    Working...
                    X