10 {{ upvoteCount | shortNum }}
10 {{ upvoteCount | shortNum }}

Know who to hire to help fix PCI compliance issues on a client's website?

by Tech Diva
8 replies
Hi there,
I have a client that keeps getting fined monthly for being in violation of PCI Compliance Issues according to SecurityMetrics.com. I would like to find someone to hire to help fix these issues. Any suggestions?

The violation I am having problems fixing are in regards to cross-site scripting and weak/medium strength ciphers. Results from the test say:

4 Possible cross site scripting on ...[website address here]... Use the following commands to verify this: wp --inject.....[site links here]...This website may have other injection related vulnerabilities. [More]

4 Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. Note: This is considerably easier to exploit if the attacker is on the same physical network.


Thank you for any support or leads, it's much appreciated.

Chelsea
#client #compliance #fix #hire #issues #pci #website
  • Profile picture of the author SteveJohnson
    Your client isn't by some chance running ZenCart, are they?

    As for the remote host supporting weak encryption, that's something you're going to have to take up with the hosting company.

    Securitymetrics has a track record of reporting false positives in certain areas and refusing to back down or admit the possibilities of their algorithms being faulty. You may be in for a headache.
    Signature

    The 2nd Amendment, 1789 - The Original Homeland Security.

    Gun control means never having to say, "I missed you."

    {{ DiscussionBoard.errors[3456127].message }}
  • Profile picture of the author KirkMcD
    What is the fine?
    We are being fined $50 per month for being out of compliance. It's cheaper for us to pay the fine than to hire someone to fix the problems.
    {{ DiscussionBoard.errors[3458476].message }}
    • Profile picture of the author SteveJohnson
      Originally Posted by KirkMcD View Post

      What is the fine?
      We are being fined $50 per month for being out of compliance. It's cheaper for us to pay the fine than to hire someone to fix the problems.
      Bingo...

      IMO, it's just another profit stream for the provider.
      Signature

      The 2nd Amendment, 1789 - The Original Homeland Security.

      Gun control means never having to say, "I missed you."

      {{ DiscussionBoard.errors[3459399].message }}
      • Profile picture of the author jminkler
        Originally Posted by SteveJohnson View Post

        Bingo...

        IMO, it's just another profit stream for the provider.
        ? these are easy fixes
        {{ DiscussionBoard.errors[3463072].message }}
        • Profile picture of the author SteveJohnson
          Originally Posted by jminkler View Post

          ? these are easy fixes
          Yeah, they are. But securitymetrics doesn't always acknowledge the fix. I had a client that finally switched providers because of them. Thankfully it was another company handling their cart system, but they about went nuts. I don't know the details completely, but something about blind sql injection on dynamically generated product pages, which totally wasn't possible. But again, I don't know the specifics.
          Signature

          The 2nd Amendment, 1789 - The Original Homeland Security.

          Gun control means never having to say, "I missed you."

          {{ DiscussionBoard.errors[3463468].message }}
    • Profile picture of the author jminkler
      Originally Posted by KirkMcD View Post

      What is the fine?
      We are being fined $50 per month for being out of compliance. It's cheaper for us to pay the fine than to hire someone to fix the problems.
      You could give me the $50 a month for as long as you have been paying it instead ..
      {{ DiscussionBoard.errors[3463075].message }}
  • Profile picture of the author jminkler
    Originally Posted by Tech Diva View Post

    4 Possible cross site scripting on ...[website address here]... Use the following commands to verify this: wp --inject.....[site links here]...This website may have other injection related vulnerabilities. [More]
    So the site probably has some form or something, where the user enters in some "text" but instead they enter in JavaScript and it shows up on the page ..

    or .. a malicious user can just directly insert JS from the address bar because of poorly coded sites.

    These are fairly easy to spot and fix.

    and if they are running IIS then this should fix the other problem
    http://www.curtis-lamasters.com/2008...-weak-ciphers/

    and apache
    http://httpd.apache.org/docs/2.2/ssl...tml#onlystrong
    {{ DiscussionBoard.errors[3463045].message }}
  • Profile picture of the author none
    Tech Diva,

    I realize that this issue is likely long-resolved, but you might like to know about PCIHost.com --- There's a free consultation to determine the most cost-effective manner in which to bring non-compliant merchants into compliance.

    Worth a shot for anyone trying to work out the specifics and cut their costs.
    {{ DiscussionBoard.errors[7467683].message }}

Trending Topics