Announcement

Collapse
No announcement yet.

PCI DSS 4.0 External Compliance Scan

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #61
    Client approached SD Support and the Initial response was that

    apparently it’s a known issue they will come back to me
    Oh!
    Jonathan Chappell
    Website Designer
    SellerDeck Website Designer
    Actinic to SellerDeck upgrades
    Graphicz Limited - www.graphicz.co.uk

    Comment


      #62
      Originally posted by graphicz View Post
      Please can someone point me to a thread about Clear accept fields not appearing?

      Thank you!
      see thread links:
      https://community.sellerdeck.com/for...ckout-freezing
      https://community.sellerdeck.com/forum/sellerdeck-ecommerce-software/swift-theme/556977-accordion-users-act-now


      and KB|Online Store Issues:
      https://community.sellerdeck.com/for...-do-not-appear
      Martin
      Mantra Audio

      Comment


        #63
        Thank you Martin
        Jonathan Chappell
        Website Designer
        SellerDeck Website Designer
        Actinic to SellerDeck upgrades
        Graphicz Limited - www.graphicz.co.uk

        Comment


          #64
          Originally posted by 4children2enjoy View Post
          Yes, we are also now complaint via the ClearAccept scan.
          Andy,

          I'd be interested to know who your hosting provider is, and whether you're on shared hosting or a VPS/private server?

          I'm struggling to get a compliant ClearAccept scan with my current provider. so I may need to move to a host that is proven to work with Sellerdeck and ClearAccept's PCI DSS scanning.

          Many thanks,
          John
          John Ennals
          www.tortoys.co.uk

          Comment


            #65
            John,

            we are on a shared server with Host-it.

            We however run our DNS through Cloudflare and pci picks it us as a single server with only my site on.

            I feel I had less issues with the scan due to being on Cloudflare.
            Regards

            Jason

            Titan Jewellery (Swift Design)
            Zirconium Rings
            Damascus Steel Rings

            Comment


              #66
              John
              We are currently on shared hosting with Ionos, including Cloudfare, though we would probably change to Sellerdeck hosting if we hit insurmountable problems in future with Ionos hosting.
              Andy Shercliff
              www.4children2enjoy.co.uk

              Comment


                #67
                Andy and Jason,

                Thank you very much for getting back on this. One more question - does your hosting support Sellerdeck's 'native' email, or do you have to use Sendgrid or similar?

                John
                John Ennals
                www.tortoys.co.uk

                Comment


                  #68
                  John,

                  I just use Localhost in the settings with Host-it and it works fine.
                  Regards

                  Jason

                  Titan Jewellery (Swift Design)
                  Zirconium Rings
                  Damascus Steel Rings

                  Comment


                    #69
                    Jason,

                    Thanks, that's good to know. Looks like moving to Host-It may be my best option if my current host can't make the necessary adjustments.

                    Presumably you whitelisted the three ClearAccept scanner IP address ranges before performing the scan? If so, did you do this by contacting Host-It, or was it something you could set up within Cloudflare?

                    No more questions after this, I promise!

                    John
                    John Ennals
                    www.tortoys.co.uk

                    Comment


                      #70
                      I never white listed anything so I presume not blocked by Cloudflare. Only issue I had was some 5xx errors when browsing and it turned out some of Cloudflare ip address’ were blocked by Host-it. The list of Cloudflare IP’s were too long for Host-it to white list, so they turned WAF off. WAF is now completely controlled by Cloudflare.

                      I’m not sure moving to Host-it will resolve your issues. I believe mine is working well, and scans well because of my heavy reliance on Cloudfare. I would look at using Cloudflare on your existing site.

                      I have 7 sites on Cloudflare, 6 on free accounts, and only Titan on a paid subscription. The free account will be more than ample for your needs.
                      Regards

                      Jason

                      Titan Jewellery (Swift Design)
                      Zirconium Rings
                      Damascus Steel Rings

                      Comment


                        #71
                        Thank you Jason. I will try Cloudflare, although I personally don't have the expertise to set it up.

                        Regards,
                        John
                        John Ennals
                        www.tortoys.co.uk

                        Comment


                          #72
                          The nightmare continues.

                          ClearAccept's PCI compliance service is provided by Worldline, who in turn use the Sysnet PCI compliance service which incorporates vulnerability scanning by Qualys.

                          On 1st June I ran a ClearAccept scan, which resulted in a FAIL due to 4 reported vulnerabilities.

                          Today (7th June) my hosting company told me they'd applied fixes to resolve the vulnerabilities, so I went to run another scan. However, I noticed that the list of scanner IP addresses which Worldline say must be granted access had changed since last time. There were formerly 3 address ranges, and now there were 7! So I rang Worldline, and was told that this change had come through from Sysnet/Qualys a couple of days previously and it was beyond their control.

                          I got my host to add the new IP addresses to the white-list, then ran the scan again. This resulted in a FAIL due to 11 reported vulnerabilities.

                          On comparing the reports from the two scans, I found the second scan had failed on items which had not even appeared on the first scan, either as a pass or fail. So it appears Qualys had not only changed the white-list IP addresses, they'd also changed the scope/parameters of the scan without warning.

                          Therefore if you did a scan on or before 1st June and passed, the scan might fail if you do it again today.

                          I know PCI scanning has to evolve continuously to deal with new threats, but I've already wasted several days trying to gain compliance, and that goal seems to be moving further and further out of reach - and I've got to do this every 3 months!

                          John Ennals
                          www.tortoys.co.uk

                          Comment


                            #73
                            John
                            no, we have never been able to use the ionos email server via sellerdeck network settings. Instead we use a Perl workaround provided via the sellerdeck community many years ago, which (so far) still works.
                            andy
                            Andy Shercliff
                            www.4children2enjoy.co.uk

                            Comment


                              #74
                              Hi Andy

                              Do you mean Norman's sendmail patch?

                              https://community.sellerdeck.com/for...sendmail-patch

                              From Norman's original: http://www.drillpine.biz/sellerdecks...eadoOfSMTP.txt

                              Code:
                              Sending e-mail via sendmail (or whatever the host supports) instead of SMTP (should also work with V5)
                              
                              This needs a host with Perl that supports the Mail::Mailer module (OneAndOne does).
                              
                              Patching instructions for Actinic.pm (back it up first - use a text editor - not a word processor):-
                              
                              Look about 25 lines down from the top. You should see a line
                              
                              use strict;
                              
                              ADD the following line immediately after this
                              
                              use Mail::Mailer;
                              
                              Search for the line (there is only one instance)
                              
                              sub SendRichMail
                              
                              If using V6 - DELETE the above line and everything following it down to the line above the following fragment
                              
                              #######################################################
                              #
                              # GetScriptUrl - retrieve an url to the specified script
                              
                              
                              If using V5 - DELETE the above line and everything following it down to the line above the following fragment
                              
                              
                              #######################################################
                              #
                              # GetCookie - retrieve the actinic cookie
                              
                              
                              REPLACE the stuff you just deleted with the following new routine:-
                              
                              sub SendRichMail
                              {
                              #? ACTINIC::ASSERT($#_ >= 4, "Invalid argument count in SendRichMail ($#_)", __LINE__, __FILE__);
                              
                              #
                              # !!!!!! This is a function commonly used by many utilities. Any changes to its interface will
                              # !!!!!! need to be verified with the various utility scripts.
                              #
                              
                              if ($#_ < 4)
                              {
                              return($::FAILURE, GetPhrase(-1, 12, 'Actinic::SendRichMail'), 0, 0);
                              }
                              
                              my ($sSmtpServer, $sEmailAddress, $sLocalError, $sSubjectText, $sMessageText, $sMessageHTML, $sBoundary, $sReturnAddress);
                              ($sSmtpServer, $sEmailAddress, $sSubjectText, $sMessageText, $sMessageHTML, $sReturnAddress) = @_;
                              #
                              # Check message content for bare LFs and repair if there are some
                              #
                              
                              $sMessageText =~ s/\r\n/\n/g; # CRLF -> LF
                              $sMessageText =~ s/\r/\n/g; # remaining CR -> LF
                              $sMessageText =~ s/\n/\r\n/g; # all LF -> CRLF
                              # and check the HTML content as well
                              $sMessageHTML =~ s/\r\n/\n/g; # CRLF -> LF
                              $sMessageHTML =~ s/\r/\n/g; # remaining CR -> LF
                              $sMessageHTML =~ s/\n/\r\n/g; # all LF -> CRLF
                              #
                              # Check the return address
                              #
                              if (!$sReturnAddress) # if no return address defined
                              {
                              $sReturnAddress = $sEmailAddress; # use the destination email address
                              }
                              
                              # (V11) use systems sendmail program
                              my $mailer = Mail::Mailer->new();
                              $mailer->open({ From => $sReturnAddress,
                              To => $sEmailAddress,
                              Subject => $sSubjectText,
                              })
                              or die "Can't open: $!\n";
                              
                              print $mailer $sMessageText;
                              $mailer->close();
                              
                              return($::SUCCESS, '', 0, 0);
                              }
                              
                              Save and do a site update and that's that.
                              
                              Bugs / Quirks.
                              
                              Some users have reported that the e-mail is sent on one long line.
                              If this happens open the (patched)Actinic.pm and look for the line
                              
                              $sMessageText =~ s/\n/\r\n/g; # all LF -> CRLF
                              
                              and comment it out by adding "#" at the beginning. I.e.
                              
                              # $sMessageText =~ s/\n/\r\n/g; # all LF -> CRLF
                              
                              Save and see if that fixes it.
                              
                              Remember that if you update Actinic the updater will overwrite patched scripts with new
                              version and you'll have to redo the patch.
                              
                              Norman www.drillpine.biz (V11)
                              Jonathan Chappell
                              Website Designer
                              SellerDeck Website Designer
                              Actinic to SellerDeck upgrades
                              Graphicz Limited - www.graphicz.co.uk

                              Comment


                                #75
                                Success!

                                As of this morning my site has been running via Cloudflare, the ClearAccept scan report is clean, and I am PCI-DSS compliant! Cloudflare really does seem to be the answer if you're using shared hosting.

                                A huge thank you to Jason and Andy for pointing me in the Cloudflare direction (and for persuading me not to change my hosting until I'd tried it), and to Jonathan for all his help especially the .htaccess stuff.

                                Thanks also to Teclan for setting Cloudflare up for me for a modest charge, as I was too scared to do it myself.

                                John
                                John Ennals
                                www.tortoys.co.uk

                                Comment

                                Working...
                                X