Announcement

**MDN** · 07-Aug-2024, 11:33 AM

Hi Jonathan,

I'm on shared with Teclan, been having issues with the latest scan, however with big thanks to your blog post and some server work by Teclan yesterday (so big thanks to Stephen @ teclan), I have today passed the scan. I do also have Gatekeeper on my hosting (not sure if that changes any scan results but it did show as having a firewall in the result).

Thanks again

**graphicz** · 07-Aug-2024, 11:55 AM

Thank you!

Having sold me reseller hosting on the basis of PCI compliance Brixly are now saying they never said it was!

**mje** · 07-Aug-2024, 02:08 PM

Scans involving Brixly were returning compliant but are not now - that said when I had a call with the scanning gurus at Saferpayents yesterday the chap, who was very patient and understanding, said that although our site "passed" on May17th and was "attested" it actually didn't pass but got through the system because something "didn't connect properly"

Banging your head on a brick wall would be less painfull than obtaining PCI compliance of that I have little doubt,

Edging closer to binning direct input card payments and just offering PayPal myself. Have lost all motivation to pursue this.

**graphicz** · 08-Aug-2024, 06:31 AM

What companies do people use for PCI scanning? Client uses one that seems overly trigger happy!

**EdHarrison** · 08-Aug-2024, 06:56 AM

I always used security metrics, they are good and approachable for support via the phone.

**graphicz** · 08-Aug-2024, 08:01 AM

Thank you Ed - I know it is mentioned before but the thread has got pretty long!

**Mantra** · 08-Aug-2024, 10:02 AM

I have been using Security Metrics since 2012 initially required for Barclaycard Merchant Services PCI compliance and am pleased to report that our most recent scan passed this week.

Our site is hosted on a shared server with secure ISO27001 accredited PCI DSS compliant data centres, so I expect the host data centres will require regular vulnerability scans to maintain PCI DSS compliance, thereby, reducing the risk of scan fails being picked up on sites that are hosted on servers that do not demonstrate PCI DSS compliance.

I would be interested to hear on the success or failure of follow up scans from anyone using Cloudflare shared servers as they also state they have accredited PCI DSS compliant data centres and have security protection in place for PCI DSS v4.0 requirements that are considered best practice until they are mandated from 31 March 2025.

**graphicz** · 08-Aug-2024, 10:34 AM

Thank you Martin

securitymetrics.com seem the way to go. Although I am not selling I signed up for scans of one site from each of my reseller accounts so I know what I am dealing with.

I have also sourced separate PCI DSS scan compliant hosting for clients with Krystal

**graphicz** · 13-Aug-2024, 07:41 AM

I signed up for Security Metrics so I can scan the client's site on my now improved PCI compliant hosting account for them.

Sticking point at present is SSH version and I am not clear if they mean SSH version on the server (although I have it disabled and secure ftp still works)
or within Sellerdeck
or on the customers Windows machine.

SM want it to be >9.6

Click image for larger version

Name: opensshvulnerabilities.jpg
Views: 53
Size: 44.1 KB
ID: 557417

Thank you

**Mantra** · 13-Aug-2024, 06:43 PM

SSH was not in scope for my scans as I am not a C panel system administrator, however, I do think it is more likely to be a server side issue - see link below concerning disabling SSH which you are probably aware of:
https://help.krystal.io/cpanel-advan...e-shell-access
In my case with Security Metrics I am able to repeat scans any time within the contract period which I found helpful after making changes to address fails.

**graphicz** · 14-Aug-2024, 07:21 AM

Krystal have confirmed it is all with them and not us and have produced a comprehensive list of evidence to get things labelled false positives.

**Mantra** · 14-Aug-2024, 08:44 AM

Hope all goes well with your submission of false positives to Security Metrics.

I didn't have any false positives to submit, however, it may be worth just noting that I received a reminder from Security Metrics before my last scheduled scan to resubmit any false positives that may be issued for scan targets, to update current IP address for any dynamic IP addresses and to ensure the same level of network access to Internet-connected devices provided to standard users under normal circumstances - details of security assessment originating scanning locations were listed in the communication.

Assurance given that the Security Metrics support team can be contacted 24/7 on any problems concerning resolving vulnerabilities.

**graphicz** · 14-Aug-2024, 09:09 AM

Thans Martin - Security Metrics have passed the site but the customer uses worldpay.com/uk/saferpayments for his scanning and they are still knocking everything back.

What fresh hell is all this?

**EdHarrison** · 14-Aug-2024, 11:27 AM

Jonathan I was with them and they did accept security metrics scans, you didn't have to use their own one. Obviously this may have changed.

**graphicz** · 14-Aug-2024, 12:04 PM

Thank you Ed

Announcement

PCI DSS 4.0 External Compliance Scan

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment