One of our readers recently emailed me with a major dilemma. They need to keep their website PCI compliant in order to keep using their payment gateway to process credit card transactions. Their PCI scanner is telling them they have vulnerabilities, while their hosting provider tells them they are fine. Meanwhile our reader is caught in the middle, paying fines.
I don’t dare to use my business e-mail address, because it would disclose my business name. I have been battling with my website host and security vendor concerning the Non-PCI Compliance of my website. It is actually my host’s IP address that is being scanned and for several months it has had ONE Critical and at least SIX High Risk scan results. This has caused my Payment Gateway provider to start penalizing me $XXXX per month for Non-PCI compliance. I wonder how long they will even keep me. When I contact my host, they say their system is in compliance. My security vendor is saying they are not. They are each saying I have to resolve the problem, although I am in the middle. Is there not a review board that can resolve this issue? I can’t do anything with my host’s system, and don’t know enough gibberish to even interpret the scan results. I have just been sending them to my host for the last several months.
There is no way that this could be the first or last time this has happened, or will happen, to someone in this situation. This sort of thing is bound to come up in compliance situations where the customer doesn’t own the underlying infrastructure, whether it’s a traditional hosted offering, and ASP, or the cloud. How do you recommend the reader – or anyone else stuck in this situation – should proceed? How would you manage being stuck between two rocks and a hard place?
Reader interactions
12 Replies to “Help a Reader: PCI Edition”
If the vulnerabilities are present, then rather than just focus on compliance, you also need to consider the risk of those vulnerabilities being exploited and your potential liability for knowingly operating in such a manner.
Also bear in mind that one of the goals of PCI is to prevent unauthorised access by such entities as third-party hosting providers. Simply put, do you trust the employees at your hosting provider not to be exploiting the vulnerabilities that they have been informed about.
If your hosting provider asserts that the ASV has identified a false positive, the ASV should confirm whether the existence of the vulnerability — false positives do happen. If the ASV has presented you proof of the vulnerability, it is incumbent on the hosting provider to refute the proof. Your leverage on the hosting provider is their contractual obligation to be PCI compliant.
Doesn’t VISA now require that all PCI Merchants us PCI Approved Service Providers? If they have a website at an ISP that “process, stores or transmits” credit card transactions on behalf of a merchant then that ISP has to be an approved service provider, right?
http://usa.visa.com/merchants/risk_management/cisp_service_providers.html
I’d consider contacting the QSA that does the ISP’s annual onsite.
Mark
Requirement 12.8 of the PCI DSS includes specific requirements for managing your relationship with third-parties you share your customer’s credit cardholder data. This includes having contract stipulations requiring PCI compliance. In addition, your contract should specify responsibilities for each of the relevant compliance requirements. I’m not familiar with the boundaries of your hosting relationship – these can span from basic colocation agreements to full outsourcing arrangements – so I won’t presume who’s responsible for the vulnerabilities. If you are responsible for the vulnerabilities listed because they’re not included as part of the services in your arrangement, then you could be out of luck and need to fix the issue yourself (or hire someone to help).
If the provider is responsible, you need to review your contract terms and determine what the indemnity terms are for your damages (i.e., fines).
IMO, I’m surprised your hosting provider hasn’t offered to help fix the issues, even if they’re not contractually obligated.
A few things…
1) What does the contract with the hosting provider say?
2) Have they engaged their lawyer?
3) What does the contract with the payment gateway say? Does it include provisions for remediation, fines, etc.?
Oftentimes, a well-written letter from your lawyer pointing out breach of contract can get the ball rolling. Lawyers should have been engaged the minute a fine was assessed by the payment gateway service, especially since there’s a dispute.
Also, have the findings been vetted? Who’s running the scan? Are these potentially false positives based on system self-reported versions that may or may not be accurate?
Ultimately, as others have said, a conference call is necessary and will hopefully resolve things quickly, but with the caveat that the reader should have as much legal leverage as possible (contracts) to make people do what is required. fwiw.
Startling, I know, but I have a different opinion on who likely needs to be fired.
I’ve seen enough low-end “security vendors” to know that that the scans can be complete BS and the scanner operators may only working there because McDonald’s wasn’t hiring. Part of my problem with PCI is the lack of actual regulation of who gets blessed with the sacred letters ASV and QSA.
That’s the reason for the call, get the hosting company and “security vendor” on the line, discuss the problem rationally, and see which provider is really the problem.
This is a completely suckish position to be in and the reader has my condolences.
The only way I’ve seen to fix this is to arrange a conference call where the hosting provider and the scanning vendor are both on. As the customer of each I facilitate the call and get them to hash this out so that, at the end of the day, there is consensus on what is really happening. Based on that consensus you can come up with an action plan.
If that fails your only real choice is to move hosting providers… Sad, but true.
At the risk of being master of the obvious, the reader needs to find a new hosting provider ASAP. Whatever switching costs would be involved should be offset by not paying fines to the payment gateway.
Clearly the web hosting company doesn’t understand security and want the problem to just go away. And IMO that’s unacceptable. There are thousands of hosting companies out there, there is no reason to be held captive by an organization that doesn’t get it.
Mike.
Since both the hosting company and security vendor seem intransigent, it is a long shot… but arrange a three-way call between the parties involved to explain and discuss the issues. After the call you’ll either have a solution, or know who to fire as a vendor.
I will go out on a limb and guess that both the hosting company and QSA service were selected based largely on low price. This kind of stuff is where those upfront savings go up in flames.
Unluckily, there isn’t a third party you can appeal to, at least as far as I know. My suggestion would be to get both your Approved Scanning Vendor and your hosting provider on the same phone call and have the ASV explain in detail to the hosting provider the specifics of vulnerabilities that have been found on the host. Your hosting provider may be scanning your site with a different ASV or not at all and receiving different information than your seeing. Or it may be that they’re in compliance and that your ASV is generating false positives in your report. Either way, it’s going to be far easier for them to communicate directly at a technical level than for you to try and act as an intermediary between the two.
I’d also politely point out to your host that their lack of communication is costing you money and if it continues you may have to take your business elsewhere. If they’re not willing to support you, you should continue to pay them money. Explore your contract, you may have the option of subtracting the amount of the fines from your payment to them. Money always get’s their attention.
There are too many variables involved for there to be a solid answer to this, these are just my suggestions. If you have a relationship with a QSA I’d strongly suggest you get them involved as well.