store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Sat Sep 23, 2017 3:58 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 14 posts ] 
Author Message
 Post subject: PCI Compliance
Unread postPosted: Mon Oct 21, 2013 7:09 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Nov 23, 2010 7:30 am
Posts: 292
Location: Glasgow, UK
Hi,

A client of mine uses PayPal's Payment Pro system which allows them to take card payment on their website, without the user. having to go via the PayPal site.
PayPal still processes the payment, just behind the scenes.

They have been requested by PayPal to become "PCI Compliant" and recommend their "partner" TrustWave to perform a scan to check for compliance.

This scan is quite in depth and checks a lot of features and functions of the hosting server.
It did throw up a few cautions and one warning.

The cautions are easily explained away by informing TrustWave that the system is secured by ASL and their assumptions are based on a stock server.

The warning, however, deals with "Unencrypted Communication Channel Accessibility" and fails with the details:
Quote:
The service running on this port (most often Telnet, FTP, etc…) appears to make use of a plaintext (unencrypted) communication channel. Payment industry policies (PCI 1.1.5.b, 2.2.2.b, 2.3, & 8.4.a) forbid the use of such insecure services/protocols. Unencrypted communication channels are vulnerable to the disclosure and/or modification of any data transiting through them (including usernames and passwords), and as such the confidentially and integrity of the data in transit cannot be ensured with any level of certainty.


It then offers remediation as:
Quote:
Transition to using more secure alternatives such as SSH instead of Telnet and SFTP in favor of FTP, or consider wrapping less secure services within more secure technologies by utilizing the benefits offered by VPN, SSL/TLS, or IPSec for example. Also, limit access to management protocols/services to specific IP addresses (usually accomplished via a “whitelist”) whenever possible.


I disputed the warning and was replied with:
Quote:
Regrettably, the evidence being supplied here is not quite strong enough for us to process this dispute. Manual investigation shows that a connection via plain text can be established. The plain text functionality is still on. Even though the system has being configured to only allow FTPS-SSL/TLS protocols, credentials are still being sent in plain text.  As a result, this system can be compromised. Payment industry policies (PCI 1.1.5.b, 2.2.2.b, 2.3, & 8.4.a) forbid the use of such insecure services/protocols. As such, we have denied this dispute based on the information provided regarding how this finding has been addressed.


Since it is a server running (S)FTP, I don't see how I can possibly do any more security - other than key authentication, which would be impossible to implement for users.


Has anyone else had this issue?
Is there anything I can come back to them with as a solid dispute to say "I'm secure"?


Thanks


Top
 Profile  
Reply with quote  
 Post subject: Re: PCI Compliance
Unread postPosted: Mon Oct 21, 2013 10:23 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8313
Location: earth
Well lets first back up here about the PCI Compliance requirement. Do you actually store, or process PAN (Personal Account Number) data? If you do not, then you are under no requirement to meet this standard. Its likely that they are just spamming everyone in their list.


Top
 Profile  
Reply with quote  
 Post subject: Re: PCI Compliance
Unread postPosted: Mon Oct 21, 2013 10:30 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Nov 23, 2010 7:30 am
Posts: 292
Location: Glasgow, UK
That's exactly what I thought - but they said as the card details are being entered and passed from my server to theirs, compliance is required.

There is an SSL certificate in place, which I thought would cover it... e.g. User enters details, sent over SSL to my server, sent over SSL to PayPal and done.

Does this sound enough? Should I go back to them?


Top
 Profile  
Reply with quote  
 Post subject: Re: PCI Compliance
Unread postPosted: Mon Oct 21, 2013 10:40 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8313
Location: earth
So if indeed you do have visibility into the PAN data on your server(s), then you would be required to meet the requirements of the standard. So first, prove that this is the case before you spend a lot of time on this. Compliance is a lot more than just technical controls, there are management & policy ones too.

The slightly good news with PCI is that you can self-certify up to a certain transaction level. The bad news is that the security control groups involve much more than encryption in transit, it also would involve other things like desktop security on all administrative systems, architecture changes, role based management (ie, no shared accounts), encryption at rest, etc.


Top
 Profile  
Reply with quote  
 Post subject: Re: PCI Compliance
Unread postPosted: Mon Oct 21, 2013 10:44 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Nov 23, 2010 7:30 am
Posts: 292
Location: Glasgow, UK
Thanks - I'll get back in touch with them.

It does seem excessive - its a small company selling low value, low quantity items, trying to make a living.
They upgraded from PayPal Payments Standard (redirecting to the PayPal site then back) to Payments Pro as some users said they "didn't like PayPal".

They don't have a policy team, there's no "head office", no offline processing, no card details kept...


I'll report back with the resulting confirmation from PayPal/TrustWave.


Top
 Profile  
Reply with quote  
 Post subject: Re: PCI Compliance
Unread postPosted: Mon Oct 21, 2013 4:37 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4009
Location: Chantilly, VA
One way to solve this whole problem is to use an external provider to handle the credit card numbers so you never "see" the CC. For example, if you use Paypal or Authorize and the customer is just redirected to the CC providers website, you dont have any PCI requirements.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
Reply with quote  
 Post subject: Re: PCI Compliance
Unread postPosted: Mon Oct 21, 2013 4:52 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Nov 23, 2010 7:30 am
Posts: 292
Location: Glasgow, UK
Thanks Mike.

I've still not gotten in touch with them yet, but, in your opinion, to use PayPal's Website Payments Pro (link), do you think the site/server needs to be PCI compliant?

Technically they are processing, but it also technically comes through the server.


They wanted this offering as they had customers complain that they didn't like PayPal.


Top
 Profile  
Reply with quote  
 Post subject: Re: PCI Compliance
Unread postPosted: Tue Oct 22, 2013 8:37 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 803
Location: Sweden
When reading the page you refer to I clearly says that you only need to be PCI compliant if you use the API. You can still use there hosted PRO solution, but not the API without PCI certification.


Top
 Profile  
Reply with quote  
 Post subject: Re: PCI Compliance
Unread postPosted: Tue Oct 22, 2013 8:40 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Nov 23, 2010 7:30 am
Posts: 292
Location: Glasgow, UK
Thanks - I have now contacted my client to tell them that what they want just isn't feasible for 1) a shared hosting platform and 2) a small independent business who don't have offline policies etc in place.

Since PayPal Pro also comes with a virtual terminal, their "offline" activities need to comply too.


They're now looking at SagePay's hosted solution as an alternative without a virtual terminal.


Top
 Profile  
Reply with quote  
 Post subject: Re: PCI Compliance
Unread postPosted: Tue Oct 22, 2013 9:48 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Apr 10, 2006 12:55 pm
Posts: 674
Hmm, the US version of Pro doesn't have the same scary language about PCI. Might have to do with banking industry differences.
https://www.paypal.com/us/webapps/mpp/p ... yments-pro

The way I read the UK site is this (full disclosure: I am not a lawyer, definitely not British, and this is not legal advice, just my opinion)
Quote:
Paypal wants you to be secure. You need to be PCI compliant. Like really, really compliant. If you're not, and fraud happens, we might turn you off if you're not compliant.


My understanding of PCI is that you need to comply at the base level. Don't log the PAN in plain text. Don't log the CVV2 at all. Use SSL. Install security. I base this on this PDF. The UK might be different.

_________________
"Its not a mac. I run linux... I'm actually cool." - scott


Top
 Profile  
Reply with quote  
 Post subject: Re: PCI Compliance
Unread postPosted: Tue Oct 22, 2013 10:02 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Nov 23, 2010 7:30 am
Posts: 292
Location: Glasgow, UK
That was my understanding too - but they (PayPal) have said they want a PCI compliance certificate, or the account will be closed!

I have, though, had the feeling that the people I've spoken to in PayPal (UK) don't quite get the whole process or the technicalities.

I must also add that this all came about after my client got an email when PayPal recommended TrustWave as the company to use to get the certificate... marketing ploy?


Bottom line of this scenario... they've lost a paying customer and all transactions through it.


Top
 Profile  
Reply with quote  
 Post subject: Re: PCI Compliance
Unread postPosted: Tue Oct 22, 2013 10:32 am 
Offline
Forum Regular
Forum Regular
User avatar

Joined: Mon Apr 14, 2008 8:29 am
Posts: 306
Location: Rhode Island
Since i work for a credit card processing company and we are a trustwave reseller for their PCI platform for over 100,000 of our merchants i think i can add 2 cents here for you. If you are not using an API function with paypal which means the card data is being taking on your site and not redirected to a paymant page on paypals side. Then yes you have to meet the requirement, IF you are redirecting to Paypal go back into the trustkeeper account and change the card acceptence type to 3rd Party gateway, that's it problem solved.

Like others mentioned, the only time you are required to scan your domain is if the CC data transaction is staying at the site or on the server. If you redirect or in some cases still "I-Frame" the payment page of your gateway provider then it is all handled by your gateway provider and a scan is not required just the yearly SAQ has to be completed. Other way to look at it is if the SSL on the page taking credit card is your domain Then yes you have to scan, If the SSL is that of your gateway provider then the scan is not required.

I will confirm that Trustkeeper scans everything and they will not budge on certain matters no matter what you tell them in a dispute on a failure or false positive, your best bet is to always let the gateway take the risk of the transaction process and use their payment pages as much as possible.

Hope this helps a little bit more.

_________________
James Nascimento
Chief Information Officer
East Commerce Solutions, Inc.
22 Morris Lane
East Providence, RI 02914
Ph. 800-527-5395 x263
Fax. 888-999-5891


Top
 Profile  
Reply with quote  
 Post subject: Re: PCI Compliance
Unread postPosted: Tue Oct 22, 2013 10:35 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Nov 23, 2010 7:30 am
Posts: 292
Location: Glasgow, UK
Thanks for a definitive and authoritative post there...

In this instance, the SSL certificate was of the site's - payment info was captured on the site and transferred to the PayPal API "behind the scenes" - so the info was already *available* to the server.

That was then the clincher - as it was *available* PCI compliance for this seemingly transparent transfer was required.


Top
 Profile  
Reply with quote  
 Post subject: Re: PCI Compliance
Unread postPosted: Tue Oct 22, 2013 10:41 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4009
Location: Chantilly, VA
Exactly. If the server actually handles the data, then the data has to be protected. If you just redirect the user to someone else that handles the data, they have to protect it, and so on.

This is why redirects are a simple solution, you never handle the data so you dont have to protect it: ergo no PCI compliance requirement. I always recommend to small business that they let someone else handle the data, PCI compliance requires a lot of security controls that small companies dont have and cant really support (like management and operational controls, policies, procedures, background checks, etc.)

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Google [Bot] and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group