Announcement

Collapse
No announcement yet.

PCI DSS 4.0 External Compliance Scan

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #91
    Hi Jonathan,

    I'm on shared with Teclan, been having issues with the latest scan, however with big thanks to your blog post and some server work by Teclan yesterday (so big thanks to Stephen @ teclan), I have today passed the scan. I do also have Gatekeeper on my hosting (not sure if that changes any scan results but it did show as having a firewall in the result).

    Thanks again
    Many Thanks
    Lee
    www.mdnsupplies.co.uk
    www.hookandloopfasteners.co.uk

    Comment


      #92
      Thank you!

      Having sold me reseller hosting on the basis of PCI compliance Brixly are now saying they never said it was!
      Jonathan Chappell
      Website Designer
      SellerDeck Website Designer
      Actinic to SellerDeck upgrades
      Graphicz Limited - www.graphicz.co.uk

      Comment


        #93
        Scans involving Brixly were returning compliant but are not now - that said when I had a call with the scanning gurus at Saferpayents yesterday the chap, who was very patient and understanding, said that although our site "passed" on May17th and was "attested" it actually didn't pass but got through the system because something "didn't connect properly"

        Banging your head on a brick wall would be less painfull than obtaining PCI compliance of that I have little doubt,

        Edging closer to binning direct input card payments and just offering PayPal myself. Have lost all motivation to pursue this.
        www.devotedly-discus.co.uk

        Comment


          #94
          What companies do people use for PCI scanning? Client uses one that seems overly trigger happy!
          Jonathan Chappell
          Website Designer
          SellerDeck Website Designer
          Actinic to SellerDeck upgrades
          Graphicz Limited - www.graphicz.co.uk

          Comment


            #95
            I always used security metrics, they are good and approachable for support via the phone.
            https://www.harrisontelescopes.co.uk/

            Ed Harrison - Menmuir Scotland

            Comment


              #96
              Thank you Ed - I know it is mentioned before but the thread has got pretty long!
              Jonathan Chappell
              Website Designer
              SellerDeck Website Designer
              Actinic to SellerDeck upgrades
              Graphicz Limited - www.graphicz.co.uk

              Comment


                #97
                I have been using Security Metrics since 2012 initially required for Barclaycard Merchant Services PCI compliance and am pleased to report that our most recent scan passed this week.

                Our site is hosted on a shared server with secure ISO27001 accredited PCI DSS compliant data centres, so I expect the host data centres will require regular vulnerability scans to maintain PCI DSS compliance, thereby, reducing the risk of scan fails being picked up on sites that are hosted on servers that do not demonstrate PCI DSS compliance.

                I would be interested to hear on the success or failure of follow up scans from anyone using Cloudflare shared servers as they also state they have accredited PCI DSS compliant data centres and have security protection in place for PCI DSS v4.0 requirements that are considered best practice until they are mandated from 31 March 2025.
                Martin
                Mantra Audio

                Comment


                  #98
                  Thank you Martin

                  securitymetrics.com seem the way to go. Although I am not selling I signed up for scans of one site from each of my reseller accounts so I know what I am dealing with.

                  I have also sourced separate PCI DSS scan compliant hosting for clients with Krystal
                  Jonathan Chappell
                  Website Designer
                  SellerDeck Website Designer
                  Actinic to SellerDeck upgrades
                  Graphicz Limited - www.graphicz.co.uk

                  Comment


                    #99
                    I signed up for Security Metrics so I can scan the client's site on my now improved PCI compliant hosting account for them.

                    Sticking point at present is SSH version and I am not clear if they mean SSH version on the server (although I have it disabled and secure ftp still works)
                    or within Sellerdeck
                    or on the customers Windows machine.

                    SM want it to be >9.6

                    Click image for larger version

Name:	opensshvulnerabilities.jpg
Views:	87
Size:	44.1 KB
ID:	557417

                    Thank you
                    Jonathan Chappell
                    Website Designer
                    SellerDeck Website Designer
                    Actinic to SellerDeck upgrades
                    Graphicz Limited - www.graphicz.co.uk

                    Comment


                      SSH was not in scope for my scans as I am not a C panel system administrator, however, I do think it is more likely to be a server side issue - see link below concerning disabling SSH which you are probably aware of:
                      https://help.krystal.io/cpanel-advan...e-shell-access
                      In my case with Security Metrics I am able to repeat scans any time within the contract period which I found helpful after making changes to address fails.
                      Martin
                      Mantra Audio

                      Comment


                        Krystal have confirmed it is all with them and not us and have produced a comprehensive list of evidence to get things labelled false positives.
                        Jonathan Chappell
                        Website Designer
                        SellerDeck Website Designer
                        Actinic to SellerDeck upgrades
                        Graphicz Limited - www.graphicz.co.uk

                        Comment


                          Hope all goes well with your submission of false positives to Security Metrics.

                          I didn't have any false positives to submit, however, it may be worth just noting that I received a reminder from Security Metrics before my last scheduled scan to resubmit any false positives that may be issued for scan targets, to update current IP address for any dynamic IP addresses and to ensure the same level of network access to Internet-connected devices provided to standard users under normal circumstances - details of security assessment originating scanning locations were listed in the communication.

                          Assurance given that the Security Metrics support team can be contacted 24/7 on any problems concerning resolving vulnerabilities.
                          Martin
                          Mantra Audio

                          Comment


                            Thans Martin - Security Metrics have passed the site but the customer uses worldpay.com/uk/saferpayments for his scanning and they are still knocking everything back.

                            What fresh hell is all this?
                            Jonathan Chappell
                            Website Designer
                            SellerDeck Website Designer
                            Actinic to SellerDeck upgrades
                            Graphicz Limited - www.graphicz.co.uk

                            Comment


                              Jonathan I was with them and they did accept security metrics scans, you didn't have to use their own one. Obviously this may have changed.
                              https://www.harrisontelescopes.co.uk/

                              Ed Harrison - Menmuir Scotland

                              Comment


                                Thank you Ed
                                Jonathan Chappell
                                Website Designer
                                SellerDeck Website Designer
                                Actinic to SellerDeck upgrades
                                Graphicz Limited - www.graphicz.co.uk

                                Comment

                                Working...
                                X