Results 1 to 31 of 31
  1. #1

    VISA PA DSS - The fall of small to medium ecommerce businesses?

    Greetings:

    July 1, 2010 is the deadline by VISA for any application touching credit card data to be PA DSS compliant (this is separate from PCI compliance).

    A number of articles touch on this subject matter:

    http://www.merchantaccountblog.com/7...pci-was-a-mess

    http://whirmagazine.texterity.com/whirmagazine/200905/ (pages 12 and 13)

    http://www.thewhir.com/blog/Rick_Wil...ce_Web_Hosting

    ###

    What are your thoughts on how if nothing gets in VISA's way of the July 1, 2010 deadline for PA DSS on how this issue will impact you as a hosting or managed service provider?

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    I for one am somewhat excited about this.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  3. #3
    Join Date
    Oct 2003
    Location
    The Netherlands
    Posts
    1,246
    My prediction is that everybody will think a bit more about the security of their applications, small merchants will be forced to move to something like Paypal/2co to take the guesswork out of the equation and all will be like before.

  4. #4
    Join Date
    Aug 2005
    Posts
    521
    I'm moving my clients to AuthorizeNet SIM or paypal or both.

  5. #5
    This is the result of PCI DSS 1.2 released Oct 2008. This gave all of us 1.5 years to get our act together and use reliable secure and tested software. This date is only for existing merchants. Any new merchant is already required to use PA-DSS certified software.

    I tried to find a few of the posts I made about the subject here but they appear to have disappeard after the last WHT hack.

    Here's a few things to think about.. anyone using WHMCS, Plesk Billing, Ubersmith or any other non compliant software must find an alternative before the 2010 deadline. I have spoken with a few software vendors and my results varied. Plesk sent me some official internal documents outlining their plan, WHMCS developer said he is working on it and left it at that and Ubersmith didn't even know what PCI was.

    I suggest each and every one of us, call write and pretty much bug our software vendors until they have a date for compliance or are compliant.

    Another issue with PA-DSS compliance is we can only use the version that has been tested compliant. Every major release will need to be re-certified and cannot be used until certified. Additionally, anyone using open source solutions will be left out in the cold and PA-DSS certification is expensive.
    ZZ Servers - Business Hosting, HIPAA and PCI Compliant Hosting Solutions - http://www.zzservers.com
    Xen Virtual Private Servers | Dedicated Servers | Shared Hosting
    Custom configurations, firewall, VPN, load balancers, private networks and more.

  6. #6
    Join Date
    Oct 2003
    Location
    The Netherlands
    Posts
    1,246
    Wow, that's pretty bad that Ubersmith doesn't even know about PCI, especially given their pricetag.

    "Another issue with PA-DSS compliance is we can only use the version that has been tested compliant. Every major release will need to be re-certified and cannot be used until certified. Additionally, anyone using open source solutions will be left out in the cold and PA-DSS certification is expensive."

    Ah yes, this goes to show howmuch the PCI people are disconnected from reality, I mean suppose the new version contains a fix for security, how is it reasonable to delay this for "compliance" purposes? I also like how this leaves out Open Source, which has a better chance at security than a closed source product.
    Not knocking you, just showing how PCI seems to be a big can of worms and yes I'm in a department that will deal with PCI extensively.

    Best solution still is to pawn off the PCI requirement by sending customers to Paypal / Other payment site to make their payments to you and thus avoid ever touching any creditcard info.
    You're spot on about this though, so don't take this as me shooting the messenger :p

  7. #7
    Quote Originally Posted by Bvs[NL] View Post
    Ah yes, this goes to show howmuch the PCI people are disconnected from reality, I mean suppose the new version contains a fix for security, how is it reasonable to delay this for "compliance" purposes? I also like how this leaves out Open Source, which has a better chance at security than a closed source product.
    I did say major release, this does account for bug fixes.. IE a re-cerfirication would be required for a feature relaese.
    ZZ Servers - Business Hosting, HIPAA and PCI Compliant Hosting Solutions - http://www.zzservers.com
    Xen Virtual Private Servers | Dedicated Servers | Shared Hosting
    Custom configurations, firewall, VPN, load balancers, private networks and more.

  8. #8
    Join Date
    Oct 2003
    Location
    The Netherlands
    Posts
    1,246
    Well that does make more sense and it's good to see that exception is there.
    I guess that only leaves the question of "what is a release?"

    Some of the PCI rules rely on interpretation (by an Acquirer, auditor, committee) and that alone gives me the shivers.

  9. #9
    Here's another billing program that may become PA-DSS certified.. though they were not too clear about their path to get there.

    http://www.webhostingtalk.com/showth...97#post6247897
    ZZ Servers - Business Hosting, HIPAA and PCI Compliant Hosting Solutions - http://www.zzservers.com
    Xen Virtual Private Servers | Dedicated Servers | Shared Hosting
    Custom configurations, firewall, VPN, load balancers, private networks and more.

  10. #10
    Greetings Steven:

    May I ask why you are excited about this issue?

    Greetings Zendzipr:

    What about small ecommerce providers using oscommerce or similar open source applications?

    What does PA DSS do to the open source community?

    Given that every version will have to be retested, given the current state of economy, do you think the application vendors will eat the $20,000 to $200,000 costs (per re-certification) or pass it onto their customers (which would be hosting providers and customers of hosting providers)?

    Lastly, if an application has no known vulnerabilities per secunia, cert, etc, and the operating system is tested finding no vulnerabilities and the server running the application passes current PCI compliance scans, of what additional benefit does PA DSS provide?

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  11. #11
    Quote Originally Posted by dynamicnet View Post
    Greetings Steven:

    May I ask why you are excited about this issue?
    I will go out on a limb but it may get rid of some of the competition. Those hosting companies who do not wish to deal with PCI compliance, either as a merhcant or a service provider will start competing for non-ecommerce business. They will not be able to host any customers who require PCI compliance in any way shape or form.

    Quote Originally Posted by dynamicnet View Post
    What about small ecommerce providers using oscommerce or similar open source applications?

    What does PA DSS do to the open source community?
    PA-DSS does nothing to the open source community, as long as you don't try to use the software to store, transmit or process credit cards. Products such as OSCommerce will not be able to be used in a scenario where it is used to store, transmit or process credit cards but will work fine if using PayPal. There may be some PA-QSA's who may donate time to getting some open source programs certified but I would not count on it, especially if it is something your business depends on. Just so you know, there are only a few hundred certified PA-QSA's (I only know one personally) so they will probably be loaded down with paying work.

    Quote Originally Posted by dynamicnet View Post
    Given that every version will have to be retested, given the current state of economy, do you think the application vendors will eat the $20,000 to $200,000 costs (per re-certification) or pass it onto their customers (which would be hosting providers and customers of hosting providers)?
    New version will most likely require less details for testing, ie what changes, etc, not the whole code base. Even stilll, compliance is a cost of doing business in any regulatory environment and costs will of course get passed onto the customers or eat into the profit if there is any. We may see some businesses not be able to deal with PCI and be forced to chagnge business models.

    Quote Originally Posted by dynamicnet View Post
    Lastly, if an application has no known vulnerabilities per secunia, cert, etc, and the operating system is tested finding no vulnerabilities and the server running the application passes current PCI compliance scans, of what additional benefit does PA DSS provide?
    There is more, much more to PA DSS certification than secunia. I suggest downloading this PDF and read through it. There are hundreds of individual items which are in there which are required to pass and certify, all of them are designed to protect cardholder data.
    ZZ Servers - Business Hosting, HIPAA and PCI Compliant Hosting Solutions - http://www.zzservers.com
    Xen Virtual Private Servers | Dedicated Servers | Shared Hosting
    Custom configurations, firewall, VPN, load balancers, private networks and more.

  12. #12
    Join Date
    Mar 2001
    Posts
    1,434
    Quote Originally Posted by zendzipr View Post
    ...PA-DSS does nothing to the open source community, as long as you don't try to use the software to store, transmit or process credit cards. Products such as OSCommerce will not be able to be used in a scenario where it is used to store, transmit or process credit cards but will work fine if using PayPal.
    This is not entirely true. If a merchant customizes the software at all, then they can assume the responsibility of insuring that custom software is PA-DSS compliant (as it falls under the custom software for a single company's use). The open source software makers do not have to go through an official mega-bucks audit, as it can be custom software for each merchant. Please do not paint a doom and gloom 100% or 0% scenario for every merchant on the planet...

    And the waters are still murky on custom software, as you can assume your own responsibility for insuring your software passes the PCI guidelines, which is similar to a self assessment questionnaire.

    - John C.

  13. #13
    Quote Originally Posted by JohnCrowley View Post
    This is not entirely true. If a merchant customizes the software at all, then they can assume the responsibility of insuring that custom software is PA-DSS compliant (as it falls under the custom software for a single company's use). The open source software makers do not have to go through an official mega-bucks audit, as it can be custom software for each merchant. Please do not paint a doom and gloom 100% or 0% scenario for every merchant on the planet...
    No, you are absolutely correct but your method over simplifies the reality of PCI with regards to the payment application. If you take open source application into your PCI environment you will be required to complete the full code review per PCI DSS requirements as if it were your own software and create your own branch and maintain your code review, release and change management. Not a simple task for any small shop.

    My statement is still valid in most current situations. Your average online shop that uses open source payment applications will not be able to use it any longer if only for the code review alone. Doing a code review requires an actual knowledge of programming and the ability to understand the code. I can say with a rather high level of certainty that many users of open source payment applications will not be able to complete a code review on their own. Each and every company that uses the open source payment application will be required to perform a code review. Section 6.3 is quite clear about this.

    PCI DSS 6.3.7.a
    Code changes are reviewed by individuals other then the originating code author, and by individuals who are knowledgeable in code review techniques and secure coding practices.
    There are even people in the industry that take it a bit further than I have here.

    From Rick Wilson
    “What about home grown and open source shopping cart solutions? What happens to them on July 1st, 2010. I asked this question to our auditor and his answer was telling, he said that “essentially if an application can’t be PA-DSS certified because it’s not developed by a single entity for example, then the service provider of that entity will need to become PCI Level 1 certified in order to keep offering that and be in compliance”.
    Now this goes overboard, you can have open source software and be a level4 merchant. Of course level 3 and 4 do not have to have on site audits so they can do what many do and just mark yes to everything and be done with it. Of course this is one of the reasons Level 2 merchants are now required to have on site audits.

    Quote Originally Posted by JohnCrowley View Post
    And the waters are still murky on custom software, as you can assume your own responsibility for insuring your software passes the PCI guidelines, which is similar to a self assessment questionnaire.
    No, PCI is quite clear on this. You can write your own software as long as you are the only user of it, ie your company has a custom application written for it or it writes it it's self for it's own use. Of course the code review and other items foundin section 6.3 still apply.
    ZZ Servers - Business Hosting, HIPAA and PCI Compliant Hosting Solutions - http://www.zzservers.com
    Xen Virtual Private Servers | Dedicated Servers | Shared Hosting
    Custom configurations, firewall, VPN, load balancers, private networks and more.

  14. #14
    Join Date
    Mar 2001
    Posts
    1,434
    Quote Originally Posted by zendzipr View Post
    ...There are even people in the industry that take it a bit further than I have here.
    Rick Wilson has a bit of a self serving interest in that Miva is trying to position itself as the solution for non PA-DSS software applications, so he is not the best independent authority on the subject.

    ...Of course level 3 and 4 do not have to have on site audits so they can do what many do and just mark yes to everything and be done with it. Of course this is one of the reasons Level 2 merchants are now required to have on site audits.
    Level 2 merchants do more than one million transactions per year (84,000 charges per month), so this will not affect 99% of all SMBs.

    (run-on sentence warning) I'm all for increased security, but when it becomes an undo burden on SMBs, and then if your company does have a breach, PCI compliance will not stop the fines or audits, or tighter controls, then the whole system seems to be quite broken besides the payment industry making more money through ASVs, auditors, large yearly fees to be listed on any approved list, etc...

    - John C.

  15. #15
    Quote Originally Posted by JohnCrowley View Post
    Rick Wilson has a bit of a self serving interest in that Miva is trying to position itself as the solution for non PA-DSS software applications, so he is not the best independent authority on the subject.
    Is anyone not self serving?

    Quote Originally Posted by JohnCrowley View Post
    (run-on sentence warning) I'm all for increased security, but when it becomes an undo burden on SMBs, and then if your company does have a breach, PCI compliance will not stop the fines or audits, or tighter controls, then the whole system seems to be quite broken besides the payment industry making more money through ASVs, auditors, large yearly fees to be listed on any approved list, etc...
    No one said it is fair but if you want to process credit cards the payment brands have spoken and we have to drop in line and comply. There are always alternatives and ways to avoid the fees. If a business cannot afford the time and infrastructure it takes to be compliant, there is always paypal or any of the other outsourced solutions. Please don't take me the wrong way, PCI compliance is expensive and I wish there was another way of doing it but the old days of the wild west internet with plain text pan's and lax security have passed us by. The card brands are doing everythign they can to prevent fraud and we the merchants are totally out of their control. PCI was created to bring some semblemce of control. It is not perfect but it's better than none at all.

    And yes, if you do have a breach and are found to be compliant PCI has a safe harbor provision. Of course, there is always a catch 22. There are so many steps in the process of compliance that it is easy to be found out of compliance. Something as simple as out of date anti virus software can do it. So with all of these things that can cause potential non-compliance, using PA-DSS certified software removes some of the complexity and reduces your chance of being non-compliant.

    Credit card companies do not make money from the audits and merchants do not have to be listed, that is optional with the one exception being payment applicaitons. you do have to pay an annual approx $1k to get a payment application listed.

    I expect things to get even muddier when the government starts passing legislation. One of the things the government wants is more penetration tests. You think PCI is expensive now, just think about that annual $$$ penetration test becoming a quarterly or a monthly test.
    ZZ Servers - Business Hosting, HIPAA and PCI Compliant Hosting Solutions - http://www.zzservers.com
    Xen Virtual Private Servers | Dedicated Servers | Shared Hosting
    Custom configurations, firewall, VPN, load balancers, private networks and more.

  16. #16
    Greetings zendzipr:

    Here's what we've been running into with regards to the entire PCI compliance issue (for which we passed):

    One of the preliminary PCI compliance scans failed because the web site builder software (for which the author purposely set it up not to work with SSL; why is only for them to answer) did not have SSL for a login page (and could not due to the way it was programmed to interface with itself as well as the automation technology).

    Even though the operating system was scanned and found no vulnerabilities, and even though all applications (including the site builder) was scanned with no vulnerabilities because the site builder software did not use SSL for its login page, the overall scan failed.

    Now, when the scanning company as well as the bank were asked what this failure has to do with the spirit of PCI compliance (which is the protection of credit card data), I was just given rhetoric.

    When I pressed the matter, they stated that given time they could break into the web site design / builder software.

    So then I stated, “So what? While bad, you could deface the site, but not get access to credit card data.” They were speechless.

    Then they went on to state that most consumers use the same credentials and now they had credentials they could use everywhere else on our system.

    So, I then stated, “So what? If you log into the automation system with the same credentials as the site builder software you see the last four digits of their card (not everyone’s), and you still don’t have a single credit card. The automation technology doesn't have an edit card feature (you add or delete).

    Again, they were speechless and went back to their rhetoric.

    Now, in the end to move forward we ended up converting the customers on the site design software, turning off that feature of hosting, and did get PCI compliant.

    The entire problem I have with how VISA has mandated the PCI standards is only part of reality is in the picture. VISA and the people behind PCI standards are not taking into account a large number of factors; and they are certainly not taking into account the large financial costs to small businesses.

    We know a lot of small ecommerce businesses that operate with OsCommerce and other open source or small-business priced carts who will find themselves under heavy financial pressure as phase 5 of PA DSS gets closer.

    In a down economy where most Internet-facing businesses are looking to either lower price or maintain their prices, there’s not a lot of room to charge more just to cover all of the PCI, PA-DSS nonsense which a lot has absolutely zero to do with increasing the overall security of credit cards on the Net.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  17. #17
    Join Date
    Aug 2005
    Posts
    521
    Why would your website builder be on the same server as you credit card processing?

  18. #18
    Quote Originally Posted by crazylane View Post
    Why would your website builder be on the same server as you credit card processing?
    dynamicnet, this is about what I was going to say. The long answer that goes along with this is whatever you have in your PCI environment is in scope for your PCI compliance. The best thing to do is remove any non-cardholder applictions from your PCI environment and reduce your scope as much as possible.

    Regarding the answers you are unhappy with, think of it this way. All PCI cares about is protection of cardholder data, all other security is incidental and irrelevent. If there is an insecure applicition in your PCI environment that may possibly have the potential to have access to cardholder data, you are non-compliant. Your PCI ASV scan does not know the program or how it operates, it only sees an insecurity as defined by the PCI requirements.

    As per the PCI requirements you are also required to run internal and external penetration tests. That will help further detail what the vulnerabiliteis are and gives you an idea of what needs to be fixed.
    ZZ Servers - Business Hosting, HIPAA and PCI Compliant Hosting Solutions - http://www.zzservers.com
    Xen Virtual Private Servers | Dedicated Servers | Shared Hosting
    Custom configurations, firewall, VPN, load balancers, private networks and more.

  19. #19
    Greetings zenzipr:

    Quote Originally Posted by zendzipr View Post
    All PCI cares about is protection of cardholder data, all other security is incidental and irrelevent. If there is an insecure applicition in your PCI environment that may possibly have the potential to have access to cardholder data, you are non-compliant.
    For me, here's the issue.

    The operating system was found to have no vulnerabilities.

    The applications on the server were found to have no vulnerabilities.

    From a pure security standpoint, there was no insecure issues.

    When I talked to human beings at the bank (so please leave out the automation part) as well as the authorized scanning vendor, not a single soul could share how a site design application with zero vulnerabilities on an operating system with zero vulnerabilities could access credit card data.

    And we even went through scenarios of same user id and passwords for the site builder software and the automation system, and they still could not get at credit card data.

    Therefore, credit card data was safe and protected, but they stood by their rhetoric.

    Now, getting back to PA DSS, what I fail to understand is that if the applications involved do not have any vulnerabilities per cert, sequnia, and other recognized security teams (whose experience far surpasses that of VISA's PCI compliance people from what I can tell), and there are no operating system vulnerabilities, AND the server(s) involved pass current PCI compliance scans, of what additional value is PA DSS in the protection of credit card data?

    Would not passing a PCI compliance scan along with zero vulnerable applications and zero vulnerable operating system issues be enough?

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  20. #20
    Quote Originally Posted by dynamicnet View Post
    The operating system was found to have no vulnerabilities.
    How was it found to have no vulnerabilities? What testing was performed and using what methods?

    Quote Originally Posted by dynamicnet View Post
    The applications on the server were found to have no vulnerabilities.
    According to your previous statement, this is incorrect, you have an application in your PCI environment that does not use secure logins.

    Quote Originally Posted by dynamicnet View Post
    From a pure security standpoint, there was no insecure issues.
    See my last statement

    Quote Originally Posted by dynamicnet View Post
    When I talked to human beings at the bank (so please leave out the automation part) as well as the authorized scanning vendor, not a single soul could share how a site design application with zero vulnerabilities on an operating system with zero vulnerabilities could access credit card data.
    BTW, it's "Approved Scanning Vendor". I already explained it. Read my last post to you. Simply put you have an insecurity in your PCI environment. Read the PCI DSS in full. Are you a type 5 merchant? If so, there are over 200 line items on the DSS that you must go through other than the scan. The scan is but one of the items and does not say you are compliant if it's clean, only that you did not have any known vulnerabilities which you did have. What were the results of your penetration test ?

    BTW, banks are clueless with regards to PCI. If you want real answers, I recommend consulting with an QSA who is well schooled on what it takes to be PCI compliant. Bankers understand money, not compliance or networking.

    Quote Originally Posted by dynamicnet View Post
    Now, getting back to PA DSS, what I fail to understand is that if the applications involved do not have any vulnerabilities per cert, sequnia, and other recognized security teams (whose experience far surpasses that of VISA's PCI compliance people from what I can tell), and there are no operating system vulnerabilities, AND the server(s) involved pass current PCI compliance scans, of what additional value is PA DSS in the protection of credit card data?
    Secuna does not test all software, they receive reports from others and publish. While it is a good source, it is not safe to say software is secure because it is not in Secuna. What certifications does the software have, what code reviews has it undergone, what does Nessus say about it, what did your penetration tester see when he looked at it ?

    I still fail to understand why you would have any software other than your payment application in your PCI environment. All you are doing is creating additional variables and more things to be dealt with for PCI. Just move your sitebuilder onto a different server and network and remove it from your PCI environment. Or if you cannot or are unwilling to move it, fix it.

    Quote Originally Posted by dynamicnet View Post
    Would not passing a PCI compliance scan along with zero vulnerable applications and zero vulnerable operating system issues be enough?
    Still not sure how you determined your operating system or other applications have no vulnerabilities.

    Look, I could go on and on here but this is a clear cut issue. You have an insecurity in your PCI environment. You have several options. Ignore it and lie on your SAQ, fix the problem by changing the code to require ssl logins, move the application from your PCI environment. Stop looking for complex answers where there are only simple ones. You have an insecurity, fix it.
    ZZ Servers - Business Hosting, HIPAA and PCI Compliant Hosting Solutions - http://www.zzservers.com
    Xen Virtual Private Servers | Dedicated Servers | Shared Hosting
    Custom configurations, firewall, VPN, load balancers, private networks and more.

  21. #21
    Greetings:

    1. Prior to the removal of the site builder application, not a single soul at securitymetrics or the bank could explain why just the issue of SSL had anything at all to do with allowing a hacker to get data.

    What they went through is as follows:

    * Well, we might be able to conduct a man in the middle attack -- key word is "might."

    * In time, we should be able to break in -- key words are "in time."

    When told that I would give them login credentials to save them the "in time" and the "might," and asked them now what, they then stated they could deface the site.

    And then I asked what in the world that had to do with protecting credit card data, and then they went "oops" as their minds were in the wrong direction again, and then stated customers might use the same login credentials all over the place -- key word again is "might."

    I stated, so what if they are? Well, then the attacker could log into the automation software. I offered them the logins to save the "might" and the "in time" part, and now stated, go for it.

    And they still had zero access to credit card data as the hosting automation technology does not allow credit card changes or updates -- only delete and add.


    2. Now the completely unanswered PA DSS question.

    A. Site builder software removed (it is not an issue; not that it was because not a single soul could answer how it can be directly or indirectly used to get a credit card data).

    B. SecurityMetrics found zero application and operating system vulnerabilities.

    C. We take patching seriously, and we have no application or operating system vulnerabilities per cert.org, secunia.com, sans.org, etc. (not in them scanning, but in the receipt of what they state has vulnerabilities and our proactive measures to take care of them quickly).

    D. All login's are behind https/SSL.

    E. We have hids/ids et al in place.

    F. SecurityMetrics scan came up with zero (0) risk (it could not have been a more clean scan).

    Now, given the above what does PA DSS add given securitymetrics.com PCI compliance scan found zero wrong with the application(s) on the server?

    Thank you.
    Last edited by pmabraham; 06-24-2009 at 05:02 PM.
    ---
    Peter M. Abraham
    LinkedIn Profile

  22. #22
    Greetings:

    "You have an insecurity in your PCI environment."

    That is a statement of assumption.

    If the PCI compliance scanning vendor or the bank cannot provide a concrete answer as to how a site design software application could get at credit card data that doesn't mean there is an insecurity.

    It just means that some one has to budge; we did by removing the site builder application.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  23. #23
    Join Date
    Aug 2005
    Posts
    521
    A PCI Scan would not be able to reveal flaws internally within an payment application like, does the application store data securely, how is cardholder data processed,etc. PA-DSS is to help software vendors and others develop secure payment applications.

  24. #24
    Quote Originally Posted by dynamicnet View Post
    "You have an insecurity in your PCI environment."

    That is a statement of assumption.
    No, it was applied to your statement in you first post, no SSL = insecure.

    Quote Originally Posted by dynamicnet View Post
    not to work with SSL; why is only for them to answer

    Quote Originally Posted by dynamicnet View Post
    If the PCI compliance scanning vendor or the bank cannot provide a concrete answer as to how a site design software application could get at credit card data that doesn't mean there is an insecurity.
    It is not the banks job to answer your PCI questions or for you to like the ones they give you. If you want technical questions of that level you need to hire a QSA. Now that you mention securitymetrics, I will make another assumption that you got the scans for free from your merchant account provider. Security specialists charge in excess of $200 per hour for a reason and quality scanning with support while affordable is not cheap.

    Quote Originally Posted by dynamicnet View Post
    It just means that some one has to budge; we did by removing the site builder application.
    You did the right thing, I cannot for one second understand why anyone would want anything but a payment application in their PCI environment anyway.
    ZZ Servers - Business Hosting, HIPAA and PCI Compliant Hosting Solutions - http://www.zzservers.com
    Xen Virtual Private Servers | Dedicated Servers | Shared Hosting
    Custom configurations, firewall, VPN, load balancers, private networks and more.

  25. #25
    Join Date
    Dec 2007
    Posts
    1,277
    zendzipr, you should run your own forum, you appear to takeover every PCI thread on here.

    The truth is this will only hurt small business. Posting links to Blesta? Blesta, what is Blesta. Anyone look at this software? If it is compliant then that's the only thing it has going for it because it appears to be useless other then that.

    The fact is large businesses failing hurts small business. I worked for a sears store back in 2002 and we stored all the days credit card transactions (full name, numbers etc... in printed out forms and also any employee had access to them on their insecure intranet.

    I even pointed out things to our boss regarding how insecure the intranet was and nobody cared, other then looking at me as a 'hacker'.

    When you look at how reckless the big companies are when they fail nothing happens to them but when a little guy does something it's all over.

    Not to mention the cost involved in keeping up with all of this. Im sure no merchant in their right mind would store credit card information (all the information) in a database accessible by virtually every sears employee. I also doubt that they would print out full credit card information and leave it on their desk for anyone to view.

    Did I mention we also didn't have a shredder so everything was just tossed in the dumpster?

    This is how large companies have always conducted themselves and now it's hurting everyone.

    Although none of the major billing platforms that most webosts use appear to be "PCI complaint" at the moment, they do all usually contain security protocols that do more for their customers then companies like Sears and TJ Max.
    James Paul Woods
    Operations Manager
    HostKitty Internet Services

  26. #26
    Join Date
    May 2003
    Location
    California, USA, Earth
    Posts
    1,049
    Quote Originally Posted by woods01 View Post
    The truth is this will only hurt small business. Posting links to Blesta? Blesta, what is Blesta. Anyone look at this software? If it is compliant then that's the only thing it has going for it because it appears to be useless other then that.
    You say you've never heard of Blesta, and then in the next line you call it useless? Absurd. Our customers don't think it's useless and I don't think you should be making reckless comments like that.
    Blesta - Professional Billing Software
    Innovation that benefits the user experience
    Trial - Demo | 866.478.7567 | Twitter @blesta

  27. #27
    Greetings:

    "No, it was applied to your statement in you first post, no SSL = insecure."

    By your definition. Working from the system admin side, insecure = unpatched, weak passwords, etc.

    "Now that you mention securitymetrics, I will make another assumption that you got the scans for free from your merchant account provider."

    Bad assumption; we paid directly to securitymetrics.

    "Security specialists charge in excess of $200 per hour for a reason and quality scanning with support while affordable is not cheap."

    So I would get charged for them to give me the same run around?

    I.e. how a hacker would be able to use a site design software that has zero vulnerabilities on an operating system with zero vulnerabilities can be be used to actually touch credit card data?

    "You did the right thing, I cannot for one second understand why anyone would want anything but a payment application in their PCI environment anyway."

    We were forced to do something for which no one could explain.

    In the perfect world, yes, every application would be on its own physical server, but that's not economical for small businesses.

    Furthermore, take for example H-Sphere which allows the separation of logical services to their own physical servers, that automation technology still has some pieces (design software) for example that must operate on the same server of the main automation (which touches the cards).

    Now, in our case we turned off Site Studio et al.

    ###

    "A PCI Scan would not be able to reveal flaws internally within an payment application like, does the application store data securely, how is cardholder data processed,etc. PA-DSS is to help software vendors and others develop secure payment applications."

    That's where I made the comment of cert.org, secunia.com, sans.org etc.

    While there is always the possibility of undisclosed security-related vulnerabilities, those agencies and the people feeding information into them typically are on top of things.

    And therefore, if the application is fully patched running on a fully patched operating system, and a PCI scan (securitymetrics for example scans for over 4,400 vulnerabilities) comes up clean, then what is PA DSS really doing?

    ##

    NOTES:

    Just to be listed on VISA' site as being PA DSS compliant requires the application author/vendor to pay an annual $1,250 fee.

    Just to be heard (no guarantee to be listened to) on the PCI Council requires a yearly fee of $2,500.

    Application author's/vendor's seeking PA DSS certification can expect to pay anywhere from $20,000 to $200,000; and such certification is only for the version tested.

    Does anyone know how new versions are handled? A redo of $20,000 to $200,000 per version or just the gaps? If the gaps, how many thousands of dollars does that run?

    Merchants are paying anywhere from $100 to several hundred per quarter or per year (it varies a lot by PCI scan vendor) for PCI scanning.

    What part of PCI compliance is not a money game?

    And given our poor economy, I'm surprised that a lot more hosting providers and merchants are not taking this to their state and federal representatives in terms of taking innovation out of the Internet, having the potential to kill off open source ecommerce, and putting a huge dent into small to medium businesses that create the most jobs et al.

    Thank you.

    P.S. zendzipr I do appreciate your time, your posts, your knowledge, etc. I would ask to cut down on assumptions, and try not to write in a condescending way. I believe you have a lot to share, but all of us are learning --- all of us.
    ---
    Peter M. Abraham
    LinkedIn Profile

  28. #28
    Quote Originally Posted by woods01 View Post
    zendzipr, you should run your own forum, you appear to takeover every PCI thread on here.
    Come on the man must know what he's talking about, as he is offering PCI Compliant Hosting Solutions after all

    Quote Originally Posted by woods01 View Post

    Although none of the major billing platforms that most webosts use appear to be "PCI complaint" at the moment, they do all usually contain security protocols that do more for their customers then companies like Sears and TJ Max.
    I think this has something to do with Sears/TJ Max thinking, wait, $50 million dollar fine for a breach? Mwhahaha pocket change.

    Once again, only hurting the underdogs, effectively shutting out open-source, and killing smaller service providers who cannot keep up. Anyone know who put the board together who decided on what it took to become PCI compliant. I'm sure if we tracked their origins back, we would see some hookups at the big companies.
    Last edited by AquariusStorage; 06-26-2009 at 12:23 PM.

  29. #29
    Greetings:

    "Once again, only hurting the underdogs, effectively shutting out open-source, and killing smaller service providers who cannot keep up."

    That's our feelings. I don't see PA DSS certification for Internet applications adding a lot of value for the costs involved.

    If anything, it will cause far more harm, especially in our current economic crisis, than any good it will bring.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  30. #30
    Join Date
    Aug 2005
    Posts
    521
    Quote Originally Posted by JohnCrowley View Post
    This is not entirely true. If a merchant customizes the software at all, then they can assume the responsibility of insuring that custom software is PA-DSS compliant
    This may not be entirely true, you may or will be treated as a level 1 merchant.

  31. #31
    Greetings John:

    Quote Originally Posted by JohnCrowley View Post
    If a merchant customizes the software at all, then they can assume the responsibility of insuring that custom software is PA-DSS compliant (as it falls under the custom software for a single company's use). The open source software makers do not have to go through an official mega-bucks audit, as it can be custom software for each merchant.
    - John C.
    What part of the form / questionnaire can you deal with open source / customized software?

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

Similar Threads

  1. Looking to buy Small/Medium Businesses
    By arisythila in forum Other Web Hosting Related Requests
    Replies: 3
    Last Post: 12-26-2008, 06:12 PM
  2. Big Advertising Deal: ideal for medium/large businesses
    By BioALIEN in forum Other Offers & Requests
    Replies: 4
    Last Post: 03-05-2005, 01:36 PM
  3. Buying Small/Medium Web Hosting Businesses
    By MTSpace at WHT in forum Other Web Hosting Related Offers
    Replies: 0
    Last Post: 02-10-2005, 11:56 AM
  4. The Market for Web Hosting in UK for Small/Medium Businesses
    By N9ne in forum Running a Web Hosting Business
    Replies: 14
    Last Post: 10-02-2004, 06:47 AM
  5. Ecommerce - Visa is teaching us.
    By Marcus in forum Running a Web Hosting Business
    Replies: 5
    Last Post: 08-23-2001, 09:32 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •