Blog

Help a Reader: PCI Edition

By David Mortman

One of our readers recently emailed me with a major dilemma. They need to keep their website PCI compliant in order to keep using their payment gateway to process credit card transactions. Their PCI scanner is telling them they have vulnerabilities, while their hosting provider tells them they are fine. Meanwhile our reader is caught in the middle, paying fines.

I don’t dare to use my business e-mail address, because it would disclose my business name. I have been battling with my website host and security vendor concerning the Non-PCI Compliance of my website. It is actually my host’s IP address that is being scanned and for several months it has had ONE Critical and at least SIX High Risk scan results. This has caused my Payment Gateway provider to start penalizing me $XXXX per month for Non-PCI compliance. I wonder how long they will even keep me. When I contact my host, they say their system is in compliance. My security vendor is saying they are not. They are each saying I have to resolve the problem, although I am in the middle. Is there not a review board that can resolve this issue? I can’t do anything with my host’s system, and don’t know enough gibberish to even interpret the scan results. I have just been sending them to my host for the last several months.

There is no way that this could be the first or last time this has happened, or will happen, to someone in this situation. This sort of thing is bound to come up in compliance situations where the customer doesn’t own the underlying infrastructure, whether it’s a traditional hosted offering, and ASP, or the cloud. How do you recommend the reader – or anyone else stuck in this situation – should proceed? How would you manage being stuck between two rocks and a hard place?

No Related Posts
Comments

@Maritz:

If your client is completely passing off the entire credit card transaction to a third party such that no sensitive cardholder data is touching their environment, I believe they can make the case that the e-commerce site is out of scope for PCI, including scanning.  It may be different in the UK from the US.  To qualify as segregated in this way, the customer has to enter their cardholder data into page hosted at the third party site.  Your client will be on the hook to document that the third party provider is PCI compliant.

If your client can prove that they’re running a apache and PHP at patch levels that are not vulnerable to the threats posed by the reported apache version, the ASV should document this as a false positive.  If by “the bank,” you mean your client’s acquirer, then your client’s quarrel isn’t with the ASV but with the acquirer.  They’re on the hook if your client is noncompliant, they’re the people with the final say on whether to accept your client’s practices as compliant.

Your client should also be pushing back on their vendor to support compliant versions of Apache, and shopping for alternate vendors if the current vendor won’t do it.

By Dan Holzman-Tweed


We have issues here in the UK with ASVs and banks being particularly unreasonable when it comes to PCI compliance.

A Tier-3 client of mine uses a very popular open-source e-commerce platform which is PCI compliant.  An ASV scan of the client’s e-commerce site detected that the PHP and Apache versions are out of date (based on the banners returned to the scanning software by the server), and therefore their site is not PCI compliant. 

In this case there are some mitigating factors though, which the bank or the ASV are choosing to ignore, resulting in a fine of

By Maritz


If the vulnerabilities are present, then rather than just focus on compliance, you also need to consider the risk of those vulnerabilities being exploited and your potential liability for knowingly operating in such a manner.

Also bear in mind that one of the goals of PCI is to prevent unauthorised access by such entities as third-party hosting providers. Simply put, do you trust the employees at your hosting provider not to be exploiting the vulnerabilities that they have been informed about.

By Gary


If your hosting provider asserts that the ASV has identified a false positive, the ASV should confirm whether the existence of the vulnerability—false positives do happen.  If the ASV has presented you proof of the vulnerability, it is incumbent on the hosting provider to refute the proof.  Your leverage on the hosting provider is their contractual obligation to be PCI compliant.

By Dan Holzman-Tweed


Doesn’t VISA now require that all PCI Merchants us PCI Approved Service Providers?  If they have a website at an ISP that “process, stores or transmits” credit card transactions on behalf of a merchant then that ISP has to be an approved service provider, right?

http://usa.visa.com/merchants/risk_management/cisp_service_providers.html

I’d consider contacting the QSA that does the ISP’s annual onsite.

Mark

By Mark Baggett


Requirement 12.8 of the PCI DSS includes specific requirements for managing your relationship with third-parties you share your customer’s credit cardholder data.  This includes having contract stipulations requiring PCI compliance.  In addition, your contract should specify responsibilities for each of the relevant compliance requirements.  I’m not familiar with the boundaries of your hosting relationship - these can span from basic colocation agreements to full outsourcing arrangements - so I won’t presume who’s responsible for the vulnerabilities.  If you are responsible for the vulnerabilities listed because they’re not included as part of the services in your arrangement, then you could be out of luck and need to fix the issue yourself (or hire someone to help). 
If the provider is responsible, you need to review your contract terms and determine what the indemnity terms are for your damages (i.e., fines). 
IMO, I’m surprised your hosting provider hasn’t offered to help fix the issues, even if they’re not contractually obligated.

By Brian


A few things…
1) What does the contract with the hosting provider say?
2) Have they engaged their lawyer?
3) What does the contract with the payment gateway say? Does it include provisions for remediation, fines, etc.?

Oftentimes, a well-written letter from your lawyer pointing out breach of contract can get the ball rolling. Lawyers should have been engaged the minute a fine was assessed by the payment gateway service, especially since there’s a dispute.

Also, have the findings been vetted? Who’s running the scan? Are these potentially false positives based on system self-reported versions that may or may not be accurate?

Ultimately, as others have said, a conference call is necessary and will hopefully resolve things quickly, but with the caveat that the reader should have as much legal leverage as possible (contracts) to make people do what is required. fwiw.

By Ben


Startling, I know, but I have a different opinion on who likely needs to be fired. 

I’ve seen enough low-end “security vendors” to know that that the scans can be complete BS and the scanner operators may only working there because McDonald’s wasn’t hiring.  Part of my problem with PCI is the lack of actual regulation of who gets blessed with the sacred letters ASV and QSA.

That’s the reason for the call, get the hosting company and “security vendor” on the line, discuss the problem rationally, and see which provider is really the problem.

By Jack Daniel


This is a completely suckish position to be in and the reader has my condolences.

The only way I’ve seen to fix this is to arrange a conference call where the hosting provider and the scanning vendor are both on.  As the customer of each I facilitate the call and get them to hash this out so that, at the end of the day, there is consensus on what is really happening.  Based on that consensus you can come up with an action plan.

If that fails your only real choice is to move hosting providers…  Sad, but true.

By Armorguy


At the risk of being master of the obvious, the reader needs to find a new hosting provider ASAP. Whatever switching costs would be involved should be offset by not paying fines to the payment gateway.

Clearly the web hosting company doesn’t understand security and want the problem to just go away. And IMO that’s unacceptable. There are thousands of hosting companies out there, there is no reason to be held captive by an organization that doesn’t get it.

Mike.

By Mike Rothman


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.