Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5

Quite frankly I would be concerned if my host did not have a firewall protecting their network from the internet. At Wolfpaw we use Cisco firewalls between our network and the internet. As Remik points out the Cisco firewalls have internal logic that protects against denial of service and numerous other kinds of attacks.

Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5


My understanding now is that we do have firewalls - software firewalls. There was a glitch in communication between me and David where he though I was referring to hardware firewalls......its all "geek" to me.

Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5

This got missed Rick

Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5

I'm not 100% sure about the MD5 thing, and it doesn't seem worth it to have development go double check, but as I recall yes it never worked until recently.

As for the test mode thing, if it works without the MD5 hash, then yes :)

Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5

Wow.........

Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5

I didn't mean for that to come off poorly, it's the kind of thing that would end up eating up a few hours to chase down and I didn't see why it was valuable. If I'm missing something let me know and we'll figure it out.

Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5

That may not be enough. PCI requirements are a little vague on the surface (the simplified 12 point checklist that everyone refers to), but if you dig deeper into the list at pcisecuritystandards.org you'll see multiple mentions that the firewall must be a stand-alone device, not a software firewall running on the same server as your web site or your database. They call it "logical security perimeter" that is outside of web servers - which by definition requires separate hardware device to serve as the firewall, and located between the remote visitors and your own web and database servers.

Additionally, if you check "Requirement 6.6 Option 2: Web Application Firewalls" that also adds the application layer (Layer 7) filtering concept - ie: automatically blocking XSS vulnerabilities, injections, etc. This cannot be done with a basic software firewall like your host is currently using. They may be calling that a firewall, which it is in 1984 terms, but it is NOT designed and set up in the way that PCI requirements call for. It is physically located on the same server as your web site, which means it is part of the same device, which means it is not in a separate security perimeter zone, and it most definitely cannot and will not handle Layer 7 application filtering.

We chose to go with Cisco ASA firewalls with the IPS modules, which provide application layer filtering, intrusion prevention, and a whole lot more. According to our on-site auditors, that is the only way to get proper firewall in place to pass PCI and PA-DSS requirements. That was investment in the $200K+ range (plus ongoing yearly security update fees) but we believe this is of utmost importance to our e-commerce clients, so we made the decision to implement this correctly to provide this level of protection and security to all our clients.

Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5

Roger that.... I will check with Auth.net to see what the deal is.

Thank you again for the great attitude towards my concerns.....

Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5

I was told by my host that a software firewall is all that is required. That PCI site is rather large(and daunting) can you point me to were it says this?

Where would I find this "definition"

You can see why with all this information is confusing to the layperson. Hence my confusion and frustration. I have been accused of ranting......actually soon I'll be past ranting and just wandering around aimlessly mumbling and drooling

I'm a biker and I used to simply punch fools. Dealing with web/graphics/software people is something life never prepared me for..... Simply put, it is the bane of my existence.......

Thanks for the input Remik

Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5

We have software-based firewalls that meet the PCI definition of what a firewall is running on separate hardware that are logically 'in front of' the web servers; the other hosts in the thread that don't even handle their own internet routing feel they have some internal knowledge of how things are set up on our network, which they don't. We do appreciate that they spend such an inordinate amount of time thinking about our network though.

Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5

David,

You are back to your old tongue twisting tricks. I guess "The Emperor" was found to have no clothes and you are upset about it. Much smaller companies than yours have proper firewalls in place, I'm surprised you chose not to build your network with more security in mind.

Just FYI, we do our own routing at two of our three datacenters, BGP and all, thank you very much. Something new you just learned.

Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5

By emperor I assume you're referring to the fact that we host more Miva Merchant sites than any other partner by far; I appreciate the compliment. As far as the rest of your comments, since you do not know anything about our firewall configuration your statements are as stupid as ever.

Sure you do, what's your AS number?

Re: PCI-DSS Compliance RE: Stone Edge, Hostasurus & Miva 5.5

In case anyone's wondering why this thread is now closed, I was out of the office and our staff closed it because it turned into a personal argument.

I'm reviewing the thread right now and at a minimum I'm going to leave it closed until Tuesday, but it is up and viewable for posterity.

I personally asked our auditor on behalf of David about Software firewalls, and our auditor confirmed that as long as they're properly configured they meet the requirement. Since neither Hostasaurus, nor any Miva Merchant host has been officially audited by a QSA and added to the PCI Service Provider list, it's impossible for me to comment on David's configuration and whether or not it's complaint.

Anyone else who would choose to comment has no valid authority to speak on the subject, because the bigger issue is until a host steps up and goes through an audit like we just did for PA-DSS, there is no way to know if you're in a truly compliant environment.

Finally the only people who are able to speak on behalf of someone's compliance or lack thereof is a certified PCI QSA; so without a formal statement from a QSA attesting to someone's validation (or not), this discussion has gotten far off track.