Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5

Max,

This is something everyone is dealing with. My advise, get rid of PayQuake. If I am not mistaken, Authorize.net was granted a year extension on this. So merchants have little wiggle room and move towards compliance.

We have been using Stone Edge for 9 years now, Barney and his team at Stone Edge are working hard to make Order manager compliant. But they have to do it right.

Hostasaurus is a great company for Miva shopping carts, David Hubbard has an excellent reputation and is quite knowledgeable. Over the years he has always been right on.

Believe it or not many servers do NOT have a "firewall". The Firewall that you have at your office to protect your desktop PC operates is different type of firewall, usually hardware. The server has internal software that protect the server.

From one merchant to another, the compliance issue is going to be a nightmare for most. You cannot turn your business off. I would loose PayQuake for now and find another payment gateway, one that will work with you or give you more time. Move your website toward compliance. Remember, compliance is not just a website, its also credit card processing, your ordering system, even you employees and the way you keep records. I'm sure most companies will not be 100 % compliant by the date, but if we keep working towards it, we will all be ok.

Good Luck,

Kevin

www.automotiveworkwear.com
www.sullivanuniforms.com

Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5


What did PayQuake do wrong? I do not intend to dump them. I have been with them and enjoyed working with them for years. This compliance issue is nothing new.... there has been plenty of notice on this. PayQuake is not the one dictating the terms of compliance TrustWave is. I simply need to be certified by them.

So you are saying from what you read here that I have no firewall?

This all seems like a game of smoke & mirrors and misdirection mixed with some slight of hand. As far as I can see Authorize.net is not a problem at all in my compliance.

As far as I know there is an industry wide mandate here. I actually believe that it is a good thing. No, let me rephrase.... a great thing. I intend to comply not move to another company to get out of it.

I have been with Stone Edge 7 years now - I have never sweated this until now. I never felt I would be behind the curve until now. I am having to take a giant step backwards until this is resolved and I won't pretend to be happy about it. I'll just deal with it.

Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5

Max,

Sorry, I must understood, I read it wrong. I thought the problem was you payment gateway. So now I feel real stupid.

TrustWave is like Control Scan a 3rd party verifier of PCI compliance correct?

Our 4 websites, have been out of compliance for 5 weeks now, Control Scan is scanning early before the date. I'm in the same boat, however, I have been forced to hire a third party company just to work with control scan, hostasaurus, and Miva. Its difficult to get past the PCI companies low lever first tier idiots. You will be seeing a post of our experience with Control Scan (Bring you popcorn and drink, it will be an entertaining story)

Unix does not need a firewall like Windows server. That should be a false positive, which you host should be able to provide you the needed documentation, IE and email response, and then TrustWave, should then log that into there scan and clear up that failure (Be prepared every 3 or 4 months to redo that). The scan companies do not have any idea how your server is configured, they scan for everything.

Yes, it does look like smoke an mirrors, and it is disappointing that all this stuff has not been already figured out for us.

I think my venders, will loose the certifications for a short while, Visa or Master Card, will just fine the payment gateways for each account that is not compliant, Merchants will be charged a hire rate for charges (Can you say revenue steam for Credit Card companies). This is no different if you remember back when they stared requiring CVVS codes (3 digit security code), card companies would still process the cards, only charged you a fee until you corrected the problem.

I don't understand you company, all your web customer will see is that you don't have a little 3rd party icon seal on your site. Will sales drop slightly yes, but not that much. Believe me, I feel your pain

Again, my apologies for sticking my foot in my mouth.

Kevin

www.automotiveworkwear.com
www.sullivanuniforms.com

Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5

Yeap we are all sweating over this. Questions unanswered, ignored, answered wrong, everyone is chasing there tails. It's a mess, a complete and utter mess.

Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5

Hey no worries Kevin -Thanks for taking the time to chime in. I am not upset if there are issues that still need to be resolved.

The problem is all the confusion. I just did a Google search to find out what these hard deadlines are and more confusion.

I did find this : So it sounds like we all should already be compliant.

I also found this Sounds like a good system to aspire to. Listen if people have problems with sensitive information on the internet we all loose. Making people feel (and be) safe on the web is in all our best interest.

BTW I adopted the CWS code right away.....Thought it was a good thing. A no-brainer for me.

Yes TrustWave just does the certification. So far I have spent 3 hrs on the phone with PayQuake & Trustwave and they have been AWESOME.......

One thing that confuses me is that they have done a scan of my server and there were a couple of flags that I have disputed with info from David that TrustWave feels are false errors. Still waiting on the official word but according to the Scan it appears everything is solid and PCI compliant. Its just that somehow these questions are not being translated properly....Somehow I am not getting the full picture. Quite frankly I expected Hostasuarus to BE fully compliant......It is just getting that info to TrustWave that is the problem..

Again Thanks Kevin

Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5

Well I appreciate the validation. I could not have stated my feelings better. THANK YOU

Have you been given a hard deadline?

Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5

Well, to be running anything on the internet without a real firewall, in this day and age of never ending hacks and exploits, is a bit crazy if you ask me. That is why we at dotCOM host implemented multiple Cisco ASA 5540 firewalls with IPS (Intrusion Prevention System) modules in all of them to protect all ecommerce web sites we host not only from the garden variety attacks, but also to provide application layer filtering for the common XSS exploits, WordPress hacks, etc.

Yes, you can run a basic software firewall (like iptables, on Linux) but that's not adequate anymore - in my opinion. It's a passive firewall with very limited logic and only basic filtering options, allowing or disallowing traffic on certain ports (like port 80 for http traffic, port 443 for https traffic, etc). It doesn't do deep packet inspection, intrusion detection, or virtually anything else that a real firewall system does. It doesn't know "good traffic" from "bad traffic" - it just checks the port numbers whether they are open or closed, and will happily allow the "bad traffic" on open ports. May as well not have a firewall in the first place, because this type of firewall doesn't protect you from almost anything at all.

A lot of the items on the PCI list are really wide open to interpretation. Some of the items we have all argued about that make no sense, or depend on very specific scenarios (like whether or not one can store credit card data, and if so - how that needs to be set up). However - having firewalls, regardless of PCI or PA-DSS or M.O.U.S.E. requirements, is still a very wise idea, to protect your web site and your online business from getting hacked and exploited for malicious purposes. My general opinion of PCI and PA-DSS aside, in a way I am glad it is forcing hosting companies to provide more than just basic servers with zero protection, when those servers are hosting ecommerce sites 24x7x365, with 24x7x365 opportunities for getting exploited and credit card numbers stolen. We sleep better at night, and our clients can sleep better at night, having a more substantial layer of security between our servers and the internet.

Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5

Thanks for chiming in Remik - So you are saying that I don't have a firewall and this does not meet PCI requirements?

Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5

Hello Remik,

Your post really scared me. It opened my eyes up to things I never really questioned over the years. We have a dedicated server, so now I'm a little worried by what you wrote . Are you basically stating we should demand a firewall from a managing host company that doesn't use them? Is the industry going to move that way, or do we have to shop around so to speak?

Thanks

Kevin

www.automotiveworkwear.com
www.sullivanuniforms.com

Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5

Absolutely!! Would you dare to drive a car anywhere without breaks and seatbelts? Firewalls are extremely important when you have something on the internet that hackers can target 24x7x365. It may not seem like something important when you have a static web site with no sensitive data to be stolen, but even then - hackers can (and often do) target small web sites to see if they can find ANYTHING to exploit - perhaps just to relay spam through your domain. It's free server resources, free bandwidth, and making someone else look bad in the process, so why not? I'd say a proper firewall in front of ANY server on the internet is an absolute must.

Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5

Or just send the request as https and bypass the application scanning; hmm, exploit succeeds, application-aware firewall did nothing.

Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5

I am using Innovative Gateway by Intruit , there on board with Miva real well ,called and asked to make sure and was told as long as were using Miva ,they told us not worry ,you are compliant and will be no problen with credit card processing ,one of the reason we moved away from our old card processor was the extra charges and the letters that was telling us that we wern't compliant and not accepting anything from anybody that mattered

Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5

That's not entirely accurate assumption. While encrypted traffic cannot be fully inspected, the Cisco ASA IPS module does do deep packet inspection on https traffic to inspect headers, and checks for known attack signatures using Cisco Global Correlation network to dynamically recognize, evaluate, and stop emerging threats, including directed attacks, worms, botnets, malware, application abuse, etc. It stops outbreaks at the network edge level, before they reach the web servers. Fully inspecting https traffic requires decrypting it, which is possible with a number of various devices, but obviously requires even more hardware/software and more configuring of multiple systems between the network edge and the web servers.

And of course, none of this has anything to do with PCI requirements... they just want to see a physically separate firewall in front of the web server, a unit-tasker device (ie: not iptables running on the web server itself). That was the point of this story.

Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5

LOL!! They can't be serious... either that, or perhaps you misunderstood what they were saying (or implying). The choice of payment gateway does not make your own web site automatically PCI compliant. You can still have a lot of known security holes on your web site or on the server, running application versions that are definitely not going to pass any PCI audits, etc. I think what they probably told you is that their gateway is compliant and as long as your web site is also compliant, you'll be fine, but the later part is something you'll need to verify with a proper PCI security audit.