Announcement

Collapse
No announcement yet.

PCI DSS 4.0 External Compliance Scan

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #76
    Morning John,
    Glad you've got it sorted, and great to read the help you've received on the Community. I've been busy with other projects so unfortunately I keep "kicking the can down the road" not having the time nor the knowledge to know where to start, but need to address it. With Cloudflare, which account did you need?
    Regards
    Jeff
    Jeff Nurse
    Managing Director

    Aerofoil Design
    Office Design & Furniture Solutions
    www.aerofoil.net

    Comment


      #77
      Hi Jeff,
      The free account worked for me.
      Regards,
      John
      John Ennals
      www.tortoys.co.uk

      Comment


        #78
        Great, thank John
        Jeff Nurse
        Managing Director

        Aerofoil Design
        Office Design & Furniture Solutions
        www.aerofoil.net

        Comment


          #79
          Originally posted by John Ennals View Post
          Success!

          As of this morning my site has been running via Cloudflare, the ClearAccept scan report is clean, and I am PCI-DSS compliant! Cloudflare really does seem to be the answer if you're using shared hosting.

          John
          Glad you got it sorted. Cloudflare is brilliant at what it does.

          My 1 tip, learnt the hard way, numerous times through forgetting and wasting hours.

          When you make changes to the site, and you are not seeing them. Make sure you clear the cache in Cloudflare, or turn Development mode on.

          Regards

          Jason

          Titan Jewellery (Swift Design)
          Zirconium Rings
          Damascus Steel Rings

          Comment


            #80
            Originally posted by Buzby View Post

            Glad you got it sorted. Cloudflare is brilliant at what it does.

            My 1 tip, learnt the hard way, numerous times through forgetting and wasting hours.

            When you make changes to the site, and you are not seeing them. Make sure you clear the cache in Cloudflare, or turn Development mode on.
            This is easily solved by using the correct cache settings.

            I asked Gary to create a KB article about this, and it's at https://community.sellerdeck.com/for...cache-settings . Checking your Titan Jewellery site shows that your cache settings are very high. Your customers won't see updates in their browser even if you clear the cache in Cloudflare, as the browsers (like Chrome) have been told they can hold on to the CSS, for example, for 2592000 seconds - that's 30 days. If you make a CSS fix for the payment overlay for example it won't be seen by customers for a long time.

            I can also see the cf-cache-status: DYNAMIC header mentioned in the article.

            I like to set cache timeouts very low, e.g. 1 hour. Then when making a big site update you can set it to zero, wait one hour, update the site, set it back to 1 hour - and then you know that every customer will be getting new content from the site.



            Hugh Gibson
            CTO - Sellerdeck, part of ClearCourse

            Comment


              #81
              Many thanks Hugh, I will work through that.
              Regards

              Jason

              Titan Jewellery (Swift Design)
              Zirconium Rings
              Damascus Steel Rings

              Comment


                #82
                I don't normally read the forums, but I've just completely read this thread.

                I've been spending a lot of time researching PCI DSS in the last month and in particular the newer requirements for v4.0 that will become mandatory at the end of March 2025. These are 6.4.3 and 11.6.1 in SAQ A, as noted in https://www.securitymetrics.com/blog...40-saq-changes . 6.4.3 relates to checking the integrity of all scripts on a payment page, and 11.6.1 is about checking the contents of the payment page (including scripts, headers, HTML) and making sure that all changes are valid.

                The reasoning behind these changes is clear: the payment page itself is vulnerable to scripts being injected and being used to skim card details (Magecart-style attacks). In a Sellerdeck Desktop site that could happen at all sorts of levels, from changing of scripts in the site folder, or changed layouts e.g. Javascript Header Functions, to changed scripts coming from a third party like polyfill.io.

                So the new requirements for next year should stop this sort of attack. If something is changed you should be prompted to fix it - or approve it - immediately. I'm looking at how they can be fulfilled in Sellerdeck Desktop, probably using an external service.

                The implication of this is that it's not the use of ClearAccept which is causing PCI DSS compliance to be needed. SAQ A is very clear that any payment page, whatever method is used - either iframes or a hand off to another site - is in scope. I've been in discussion with PayPal because their guidance around PCI DSS is misleading and they will be changing that. They'll also be changing the integration methods so that 6.4.3 can be applied - i.e. integrity checking.

                I'm involved with a wider advisory group within ClearCourse, and we're meeting with a PCI DSS Qualified Security Advisor next week. I've prepared questions for that session, and will also be describing the Sellerdeck Desktop architecture.

                Some of these questions relate to the ClearAccept PCI Portal which I've been using on a test basis. There are some confusing questions which I want to clarify. There is also a template Information Security Policy which is out of date, and I'll be asking about provision of an appropriate policy for SAQ A which most merchants will be able to use.

                And to come back to that mention of polyfill.io - we identified this as a risk in March because ownership of the site has moved to a Chinese entity. We did a special announcement (those on 18.2.3 will know about those!) and also posted a KB article about it at https://community.sellerdeck.com/for...rdeck-software. However, only 42% of the Sellerdeck Desktop ClearAccept sites have followed those instructions. Google have now caught up and have started emailng merchants today saying that Google ads will be suspended until it's removed. That might cause a few more to apply the change!

                Regards,
                Hugh Gibson
                CTO - Sellerdeck, part of ClearCourse

                Comment


                  #83
                  Thanks Hugh for the info... It's good to hear from someone at Sellerdeck... it's been pretty quiet since Josh did the online meeting last year showing the search improvements.

                  I recently got the Google Ads with suggested polyfill.io problem and I advised on our ticket a few days ago on the ongoing Google Ads problem since upgrading from v18.06 to v18.22 on 22/05/23
                  (yes, it's over a year and not resolved)
                  - we had a "compromised site" warning from Google Ads with no information as to what it was
                  (we assumed it was to do with the "consent mode" not setup properly, and recently another warning revealed the keyword polyfill.io)

                  Strange that when I searched this forum a few days ago for polyfill.io, I only got 1 result = the "accordion" post

                  https://community.sellerdeck.com/for...-users-act-now

                  I guess I assumed since we don't use accordion it doesn't apply... but now seeing also the KB article, I'll have to check and apply this change.

                  Comment


                    #84
                    Could Sellerdeck have a section or have a downloadable pdf to list suggested fixes for various versions of the software?
                    eg. 18.22 users should apply following KB articles...

                    We have an ongoing problem with a site that shows the SellerdeckPayment fields after 10 to 20 second delay (our customers can't wait 5 seconds and chose bank transfer)...
                    and recently 1 customer advising a grey screen on the checkout page (with screenshots from Phone and PC, also choosing Bank Transfer - it's lost revenue to ClearAccept)
                    if this polyfill.io is to do with payment checkout then it's potentially a cause and so far not been suggested to apply this change.
                    update - applied the polyfill script change = did not fix this delay problem... *sigh*...

                    We also had a ticket that took a week of messages and creating a dummy site etc, only to find it was a known problem and was fixed in v18.2.3 (SD-9187)
                    - which revealed a lot more... the ftp connection was initially encrypted for login purposes but it can be switched off for the actual "commands" and/or "transfer of data"
                    - PCI DSS only tests the site, but doesn't test the client program itself / in this case the process "after" ftp login can be transfers of information in plain text.

                    Comment


                      #85
                      I have had a look and cannot see polyfill on my site, I am on 18.21 .
                      Is it not an issue on all V18 versions as I have not done the fix?
                      Google ads have not flagged any issues either.
                      https://www.harrisontelescopes.co.uk/

                      Ed Harrison - Menmuir Scotland

                      Comment


                        #86
                        FYI... on two of our sites, the block of code for the polyfill.io is on TWICE... how?... I have no idea.
                        - it's above and below a block for Paypal... my only guess is maybe the Paypal Widget

                        Comment


                          #87
                          Jonathan
                          In answer to your question about the PERL update to SendRichMail - yes, that appears to be the one. Sorry for the delay in replying.
                          Andy
                          Andy Shercliff
                          www.4children2enjoy.co.uk

                          Comment


                            #88
                            3 month review time - failed, apparently 32 issues, given that I've done nothing other than change a price or two. download the odd order etc, how can this occur ?

                            The thought of going through this 4 times a year is soul destroying.

                            Asked "at what point following the "pass" 10 weeks ago did the site fall into "fail"..." but needless to say they can't provide that detail.
                            www.devotedly-discus.co.uk

                            Comment


                              #89
                              Originally posted by mje View Post
                              Asked "at what point following the "pass" 10 weeks ago did the site fall into "fail"..." but needless to say they can't provide that detail.
                              Post #72 above refers - at some point between 1st June and 7th June Qualys added further parameters/vulnerabilities to the scan. This was beyond Worldline/ClearAccept's control and may happen again without warning. Good, innit?

                              John (soul already destroyed).
                              John Ennals
                              www.tortoys.co.uk

                              Comment


                                #90
                                Has anyone got PCI compliant hosting running on shared hosting? I initially did with Brixly but it is starting to fail compliance now due to rapidly moving goalposts I believe.

                                Is Sellerdeck hosting managing to stay compliant?

                                Or do you need a VPS?

                                Thanks
                                Jonathan Chappell
                                Website Designer
                                SellerDeck Website Designer
                                Actinic to SellerDeck upgrades
                                Graphicz Limited - www.graphicz.co.uk

                                Comment

                                Working...
                                X