PCI Compliance

General Discussion of atomic repo and development projects.

Ask for help here with anything else not covered by other forums.
chrismcb
Forum Regular
Forum Regular
Posts: 293
Joined: Tue Nov 23, 2010 7:30 am
Location: Glasgow, UK

PCI Compliance

Unread post by chrismcb »

Hi,

A client of mine uses PayPal's Payment Pro system which allows them to take card payment on their website, without the user. having to go via the PayPal site.
PayPal still processes the payment, just behind the scenes.

They have been requested by PayPal to become "PCI Compliant" and recommend their "partner" TrustWave to perform a scan to check for compliance.

This scan is quite in depth and checks a lot of features and functions of the hosting server.
It did throw up a few cautions and one warning.

The cautions are easily explained away by informing TrustWave that the system is secured by ASL and their assumptions are based on a stock server.

The warning, however, deals with "Unencrypted Communication Channel Accessibility" and fails with the details:
The service running on this port (most often Telnet, FTP, etc…) appears to make use of a plaintext (unencrypted) communication channel. Payment industry policies (PCI 1.1.5.b, 2.2.2.b, 2.3, & 8.4.a) forbid the use of such insecure services/protocols. Unencrypted communication channels are vulnerable to the disclosure and/or modification of any data transiting through them (including usernames and passwords), and as such the confidentially and integrity of the data in transit cannot be ensured with any level of certainty.
It then offers remediation as:
Transition to using more secure alternatives such as SSH instead of Telnet and SFTP in favor of FTP, or consider wrapping less secure services within more secure technologies by utilizing the benefits offered by VPN, SSL/TLS, or IPSec for example. Also, limit access to management protocols/services to specific IP addresses (usually accomplished via a “whitelist”) whenever possible.
I disputed the warning and was replied with:
Regrettably, the evidence being supplied here is not quite strong enough for us to process this dispute. Manual investigation shows that a connection via plain text can be established. The plain text functionality is still on. Even though the system has being configured to only allow FTPS-SSL/TLS protocols, credentials are still being sent in plain text.  As a result, this system can be compromised. Payment industry policies (PCI 1.1.5.b, 2.2.2.b, 2.3, & 8.4.a) forbid the use of such insecure services/protocols. As such, we have denied this dispute based on the information provided regarding how this finding has been addressed.
Since it is a server running (S)FTP, I don't see how I can possibly do any more security - other than key authentication, which would be impossible to implement for users.


Has anyone else had this issue?
Is there anything I can come back to them with as a solid dispute to say "I'm secure"?


Thanks
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: PCI Compliance

Unread post by scott »

Well lets first back up here about the PCI Compliance requirement. Do you actually store, or process PAN (Personal Account Number) data? If you do not, then you are under no requirement to meet this standard. Its likely that they are just spamming everyone in their list.
chrismcb
Forum Regular
Forum Regular
Posts: 293
Joined: Tue Nov 23, 2010 7:30 am
Location: Glasgow, UK

Re: PCI Compliance

Unread post by chrismcb »

That's exactly what I thought - but they said as the card details are being entered and passed from my server to theirs, compliance is required.

There is an SSL certificate in place, which I thought would cover it... e.g. User enters details, sent over SSL to my server, sent over SSL to PayPal and done.

Does this sound enough? Should I go back to them?
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: PCI Compliance

Unread post by scott »

So if indeed you do have visibility into the PAN data on your server(s), then you would be required to meet the requirements of the standard. So first, prove that this is the case before you spend a lot of time on this. Compliance is a lot more than just technical controls, there are management & policy ones too.

The slightly good news with PCI is that you can self-certify up to a certain transaction level. The bad news is that the security control groups involve much more than encryption in transit, it also would involve other things like desktop security on all administrative systems, architecture changes, role based management (ie, no shared accounts), encryption at rest, etc.
chrismcb
Forum Regular
Forum Regular
Posts: 293
Joined: Tue Nov 23, 2010 7:30 am
Location: Glasgow, UK

Re: PCI Compliance

Unread post by chrismcb »

Thanks - I'll get back in touch with them.

It does seem excessive - its a small company selling low value, low quantity items, trying to make a living.
They upgraded from PayPal Payments Standard (redirecting to the PayPal site then back) to Payments Pro as some users said they "didn't like PayPal".

They don't have a policy team, there's no "head office", no offline processing, no card details kept...


I'll report back with the resulting confirmation from PayPal/TrustWave.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: PCI Compliance

Unread post by mikeshinn »

One way to solve this whole problem is to use an external provider to handle the credit card numbers so you never "see" the CC. For example, if you use Paypal or Authorize and the customer is just redirected to the CC providers website, you dont have any PCI requirements.
chrismcb
Forum Regular
Forum Regular
Posts: 293
Joined: Tue Nov 23, 2010 7:30 am
Location: Glasgow, UK

Re: PCI Compliance

Unread post by chrismcb »

Thanks Mike.

I've still not gotten in touch with them yet, but, in your opinion, to use PayPal's Website Payments Pro (link), do you think the site/server needs to be PCI compliant?

Technically they are processing, but it also technically comes through the server.


They wanted this offering as they had customers complain that they didn't like PayPal.
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Re: PCI Compliance

Unread post by biggles »

When reading the page you refer to I clearly says that you only need to be PCI compliant if you use the API. You can still use there hosted PRO solution, but not the API without PCI certification.
chrismcb
Forum Regular
Forum Regular
Posts: 293
Joined: Tue Nov 23, 2010 7:30 am
Location: Glasgow, UK

Re: PCI Compliance

Unread post by chrismcb »

Thanks - I have now contacted my client to tell them that what they want just isn't feasible for 1) a shared hosting platform and 2) a small independent business who don't have offline policies etc in place.

Since PayPal Pro also comes with a virtual terminal, their "offline" activities need to comply too.


They're now looking at SagePay's hosted solution as an alternative without a virtual terminal.
Highland
Forum Regular
Forum Regular
Posts: 674
Joined: Mon Apr 10, 2006 12:55 pm

Re: PCI Compliance

Unread post by Highland »

Hmm, the US version of Pro doesn't have the same scary language about PCI. Might have to do with banking industry differences.
https://www.paypal.com/us/webapps/mpp/p ... yments-pro

The way I read the UK site is this (full disclosure: I am not a lawyer, definitely not British, and this is not legal advice, just my opinion)
Paypal wants you to be secure. You need to be PCI compliant. Like really, really compliant. If you're not, and fraud happens, we might turn you off if you're not compliant.
My understanding of PCI is that you need to comply at the base level. Don't log the PAN in plain text. Don't log the CVV2 at all. Use SSL. Install security. I base this on this PDF. The UK might be different.
"Its not a mac. I run linux... I'm actually cool." - scott
chrismcb
Forum Regular
Forum Regular
Posts: 293
Joined: Tue Nov 23, 2010 7:30 am
Location: Glasgow, UK

Re: PCI Compliance

Unread post by chrismcb »

That was my understanding too - but they (PayPal) have said they want a PCI compliance certificate, or the account will be closed!

I have, though, had the feeling that the people I've spoken to in PayPal (UK) don't quite get the whole process or the technicalities.

I must also add that this all came about after my client got an email when PayPal recommended TrustWave as the company to use to get the certificate... marketing ploy?


Bottom line of this scenario... they've lost a paying customer and all transactions through it.
User avatar
JnascECSI
Forum Regular
Forum Regular
Posts: 306
Joined: Mon Apr 14, 2008 8:29 am
Location: Rhode Island

Re: PCI Compliance

Unread post by JnascECSI »

Since i work for a credit card processing company and we are a trustwave reseller for their PCI platform for over 100,000 of our merchants i think i can add 2 cents here for you. If you are not using an API function with paypal which means the card data is being taking on your site and not redirected to a paymant page on paypals side. Then yes you have to meet the requirement, IF you are redirecting to Paypal go back into the trustkeeper account and change the card acceptence type to 3rd Party gateway, that's it problem solved.

Like others mentioned, the only time you are required to scan your domain is if the CC data transaction is staying at the site or on the server. If you redirect or in some cases still "I-Frame" the payment page of your gateway provider then it is all handled by your gateway provider and a scan is not required just the yearly SAQ has to be completed. Other way to look at it is if the SSL on the page taking credit card is your domain Then yes you have to scan, If the SSL is that of your gateway provider then the scan is not required.

I will confirm that Trustkeeper scans everything and they will not budge on certain matters no matter what you tell them in a dispute on a failure or false positive, your best bet is to always let the gateway take the risk of the transaction process and use their payment pages as much as possible.

Hope this helps a little bit more.
James Nascimento
Chief Information Officer
East Commerce Solutions, Inc.
22 Morris Lane
East Providence, RI 02914
Ph. 800-527-5395 x263
Fax. 888-999-5891
chrismcb
Forum Regular
Forum Regular
Posts: 293
Joined: Tue Nov 23, 2010 7:30 am
Location: Glasgow, UK

Re: PCI Compliance

Unread post by chrismcb »

Thanks for a definitive and authoritative post there...

In this instance, the SSL certificate was of the site's - payment info was captured on the site and transferred to the PayPal API "behind the scenes" - so the info was already *available* to the server.

That was then the clincher - as it was *available* PCI compliance for this seemingly transparent transfer was required.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: PCI Compliance

Unread post by mikeshinn »

Exactly. If the server actually handles the data, then the data has to be protected. If you just redirect the user to someone else that handles the data, they have to protect it, and so on.

This is why redirects are a simple solution, you never handle the data so you dont have to protect it: ergo no PCI compliance requirement. I always recommend to small business that they let someone else handle the data, PCI compliance requires a lot of security controls that small companies dont have and cant really support (like management and operational controls, policies, procedures, background checks, etc.)
Post Reply