We have a Security Test run on our website every 3 months to comply with PCI regulations. We have come up with some vulnerabilities regarding weak SSL Ciphers.

Our website is run on a Linux Virtual Private Server, and have requested our web hosting company to fix these vulnerabilities, but they are coming back to me asking what they need to do :rolleyes:

This is not my field of expertise, and therefore have no idea as to what needs to be done in order to fix these issues.

Does anyone have a clue??
Any help would be really appreciated.

Thanks.

Here are the vulnerabilities listed below.



Port 443:
Protocol: TCP
Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers .html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

Protocol: TCP
Port: 8443
Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers .html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

Protocol:TCP
Port: 995
Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers .html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv3 EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

Who runs the 'security test' on your site?

Who hosts your site?

Who runs the 'security test' on your site?
Who hosts your site?

Security Metrics and Dataflame (www.dataflame.co.uk) host our site.

our site uses Plesk Control Panel, have found this

http://www.linux-advocacy.org/web-servers/making-plesk-more-pci-compliant

which gives a bit more indepth into making Plesk more PCI Compliant, so have sent them this link hoping they can sort it out.

I must be psychic, I knew I was getting that answer! :o

Have a search around the forum for 'Security Metrics'.

Grant, a search would probably bring up about 1500 threads, mostly started by Gavin himself anyway!
:D

I must be psychic, I knew I was getting that answer! :o

Have a search around the forum for 'Security Metrics'. Nothing but fraudsters in their own right.

Yeah am well aware of what the forum members think of SecurityMetrics lol.
But it was never my idea but the MD's decision to go with these idiots from a recommendation from Barclays Bank, therefore have to grin and bear it.

Having said that, these weak SSL Cipher vulnerabilities seems to be a common fault with making web-servers PCI Compliant, so I would say this would effect whichever security tests you went with wouldnt it?

Besides its our web-hosting company idiots not knowing what to do to address the vulnerabilities that is the problem. I am merely trying to find out in "laymans terms" what needs to be done server end to fix these.

Rofl. Oh yeah, well noticed.

Having had recalled all the previous threads on SM, you need to dump them to find success, sorry.

How has any actinic site in the world using SSL to download CC details, ever become PCI compliant? It's an impossibility AFAIK. Next you'll be telling me you have shared hosting too.

V7, SSL, Security Metrics, PCI Compliant...kinell Gav, give it a break mate.

You'll never get to the bottom of this - that's how these companies make money - there will always be something else. Your MD needs educating.

I am so tempted to reply.... but the post would be moderated.

a recommendation from Barclays Bank, why because they are Barclays Bank, we had all sorts of crap from both companies saying we could only become compliant by using their services and at such reasonable prices, not.
Their pratices are like these schemes, saying you can earn £silly amounts for 2 hours work a week, but they're always on the back of a clapped out banger. Its a con and the only people signing up are mugs

Gavin have you tried to disable SSLv2 this could probably fix the problem.

D

If your looking for a decent scanning company then try here (well one that will pass ;)) https://www.hackerguardian.com/

My main server passes PCI compliance but would probably fail a security metrics scan though

the problems with your server are more to do with the plesk control panel, there are certain problems with the mail server aswell, these can be fixed but it needs a little work.

If you don't collect credit card details on your site (ie you use a PSP, as you should), then you can self certify for PCI purposes. Have I missed something, what is the point of this thread?

Mark i guess that depeneds on why it is required, not everyone uses Actinic if your using another ecommerce package and process the card on you site directly(not leaving your site) but still using a psp then you will need pci compliance

I can understand everyones thoughts on this securitymetrics issue, everyone is entitled to their opinion, but when it is your MD who selects which Security company to go with then its out of my hands, and have to go with it, whether i agree or not.

When its your own company/website then you can make the decision
yourself, the bottom line its not my decision to make, I can only make suggestions...which I did.

Created this post to find a laymans terms explination of what the vulnerabilities the test was failing on required so i could contact our web host company and say right do this and do that...

Oh well... :rolleyes:

Gavin i understand if someone refuses to change despite what people tell him, it can be very frustrating. But you also have to understand that you are the only 'actinic' person in the country AFAIK (probably the world too) actually doing this. That is how mad this whole facard is. You have been banging on about the same things for gawd knows how long and to be frank noone has a clue WTF you are on about, nor WTF SM are on about.

If he is so stubborn, fair enough, tell him that he needs to contract some server/security experts in to sort this area out for you. Once he sees the price, he may also see sense.

It is not a failure to tell someone that you cannot do something that is most likely to be impossible or not work anyway.

OK Gavin i have been having a trawl around the internet, i dont use plesk so cant be much help but i found this

http://www.linux-advocacy.org/web-servers/making-plesk-more-pci-compliant

there is also a reference to SSLv2 in the 1st part aswell as other stuff

OK Gavin i have been having a trawl around the internet, i dont use plesk so cant be much help but i found this

http://www.linux-advocacy.org/web-servers/making-plesk-more-pci-compliant

there is also a reference to SSLv2 in the 1st part aswell as other stuff

Hi Darren, thanks for the post. I posted the exact same link above on my post, and emailed our web hosting company the link for them to work out the fixes.

They have emailed me this morning they have made some changes, and now in the process of running another security test.

In the past we actually have been PCI Compliant through SecurityMetrics, which is an achievement in itself.

Why do you have to get involved at all, just put your hosts and security metrics in touch with each other or find new hosts who understand the report that has been produced.

In the past we actually have been PCI Compliant through SecurityMetrics, which is an achievement in itself.
Actinic V7 on shared hosting reaches PCI compliance - if this is true, then it only serves to illustrate what a load of crap the whole thing is. AFAIK, NO shared hosting offers PCI compliance and NO actinic sites can ever do so either. When Actinic themselves come out and say this, how can anyone argue with that?

AFAIK, NO shared hosting offers PCI compliance and NO actinic sites can ever do so either. When Actinic themselves come out and say this, how can anyone argue with that?
Is that a fact? I run an Actinic (albeit V9) site which is certified by McAfee to meet the Payment Card Industry (PCI) Data Security Standard and it's on a shared host. It seems to me that people who don't fully understand the requirements/server configuration required and how easily these can be achieved even on a shared hosting enviroment would probably be best keeping there miss informed opinions to themselves.

Back on to the original subject there are plenty of companies who can scan your site including http://www.merchantplus.com/mcafee/ who provide compliance services at no cost for the first year and removes the need and expense for Security Metrics.

As for your issue with Weak SSL Ciphers, Darren is probably not far off the mark with:
Gavin have you tried to disable SSLv2 this could probably fix the problem.
Although there are other Weak SSL Ciphers potentially installed on the server it's just a case of getting the host to disable them although they may be reluctant as other sites hosted on the server may require them.

A simple way to find out exactly what the problem is and what Ciphers you need disabled would be to sign up for the McAfee scanning and you will be assigned a rep FREE for a year that after your initial scan they will guide you through passing PCI/DSS and assist you with all the requirements for the server which you can pass on to your hosting company.

just put your hosts and security metrics in touch with each other or find new hosts who understand the report that has been produced. Not really, we have had conversations with SM and found ourselves hitting our heads against a brick wall.
as Darren mentioned several posts ago, often it is the control panel that can be tweaked to eliminate the error message - rather than tweak the actual security level - nonsense really :confused:

Perhaps Simon could enlighten us all as to why the company who create the software (Actinic) state there software is not PCI Compliant without using a PSP, if indeed it actually is. Would that not be like shooting oneself in the foot if what they say is not true?

The slow demise of shared SSL and the introduction of the new AP system, was mainly driven (as i understand) by the fact that actinic and SSL downloading payment details yourself would never and will never pass the guidelines. This is the main point in all of this, you have to use a PSP to comply.

Now if McAfee, Security Metrics or anyone else doing this monitoring think that anyone doing the above mentioned scenario can actually pass PCI DSS when using Actinic, then what does that say for their services, if the software company itself has been telling us to the contrary for the past 12 months.

Over to you Simon with your wealth of knowledge, to unmuddy the most muddied waters in the past 12 months.

This whole thread is brought about because of fears instilled by companies who magically can help out with their 'unique' services, i.e fixing something that pretty much doesn't exist.
When any new rules appear like the fire brigade not issuing fire certifiactes along come hundreds of new businesses out like vultures with their 'services' to help you comply.

Thanks to that link that Darren posted above (and i did earlier) to my web host they have removed the sslv3 weak ssl ciphers, so just the sslv2 ciphers remain everything else is fine.

So they are working on that. (Yes, sslv2 has been disabled, or so our web hosting company has informed me) - Is there a way of checking this? - Just to be sure.

Just for information, we are actually on a VPS now and have been for some months, so not a shared server as I think some might think.

If SM are known to play hard-ball, and our site is PCI compliance through them, then we must have a pretty damn secure website - therefore giving customers that added comfort knowing that we are secure. Which in my opinion is great news for us.

Am sure there are other PCI compliance companies out there, but just how good are they? How good are their security tests? who knows?

Were getting somewhere now with our host company and SM so there is light at the end of the tunnel..

But having done a google search on weak ssl ciphers for pci compliance it seems there are other people having the same trouble with no mention of security metrics at all.

I may have a look at this McAfee scan - even if its just for documented help on vulnerabilites that we come across now, and in the future, after all if its free for the first year no harm in giving it a look at.

I run an Actinic (albeit V9) site which is certified by McAfee to meet the Payment Card Industry (PCI) Data Security Standard and it's on a shared host
And the url is ????

OK i think we need to split this up a bit.

You can still mak your server PCI-DSS compliant, it does not mean you are though, the software and downloading of card details is not.

So you can have a compliant server but this is only one piece of the puzzle, there are others and these depend what information you are collecting and how you handle it. Then you need to make sure you are compliant to each of these steps.

Actinic will not meet these other steps - the downloading of card information will fail the required security checks everytime everytime.

D

Which is exactly why you need to use a PSP and self-certify. If you need a PCI secure website, the only justification for which is to download card details, then by definition you are downloading card details, and you are most likely to fail the whole PCI thing on this basis alone :)

You can certainly have a PCI compliant server (which actinic has) but you still need to use a psp to be fully compliant as stated on the Actinic website


Merchant web sites hosted on Actinic servers are fully PCI DSS compliant provided that they use a Payment Service Provider that is itself fully PCI DSS compliant and the card details are captured at the payment provider ’s servers

"Merchant web sites hosted on Actinic servers are fully PCI DSS compliant provided that they use a Payment Service Provider that is itself fully PCI DSS compliant and the card details are captured at the payment provider ’s servers"

And this doesn't mean that the servers have to be PCI secure as judged by the likes of Security Metrics.

And this doesn't mean that the servers have to be PCI secure as judged by the likes of Security Metrics
True so you can stick your logo where the sun dont shine;)

From the secure metrics website:

Is Site Certification Easy?
It is easy. Site Certification does not require any software installation, software configuration, training or costly maintenance. All your technical support is included and there are no hidden fees.

SecurityMetrics does not require confidential system information or access to your systems. You simply enroll and the service is scheduled to run at your convenience. Simplify Merchant Compliance
SecurityMetrics has streamlined the merchant compliance process:
1. Free compliance consultation
2. Automatic test scheduling
3. Online questionnaire
4. Unlimited telephone support
5. Easy acquirer reporting

SecurityMetrics is committed to help your organization comply with credit card association data security requirements. We provide unlimited support, unlimited retesting and questionnaire help to simplify the compliance process.

I think that they have demonstrated how easy it all is:rolleyes:

To be fair to SM, they had probably never met Gavin before they wrote those guidelines :D

they had probably never met Gavin
Ahhh - the old resonable use clause applies then:D

Finally Sorted (https://www.securitymetrics.com/site_certificate.adp?s=91.103.220.67&i=110685) :)

DISCLAIMER: THIS CERTIFICATE CONFIRMS THE SITE SHOWN ABOVE HAS BEEN TESTED FOR OVER 4400 SECURITY WEAKNESSES AND NO SIGNIFICANT SECURITY VULNERABILITIES WERE FOUND AT THE DATE SHOWN ABOVE. THIS CERTIFICATE DOES NOT IMPLY THE WEBSITE SHOWN ABOVE IS COMPLETELY INVULNERABLE TO UNAUTHORIZED ATTACKS.


With that sort of disclaimer is it worth the virtual paper its written on:confused:?

Shame SM couldn't bring themselves to have a working link to the site in question. That's the very least they should do imo.

Shame SM couldn't bring themselves to have a working link to the site in question. That's the very least they should do imo.

Thats a fair point, not sure if SM have a good PR Ranking it could help! :D

There is so much wrong with the site in question from the marketing and retailing points of view that a silly & ultimately pointless Security Metrics Certificate is the last thing they should be worrying about IMHO.

They have an astonishing value proposition that used properly would be enough on its own to give the customer the confidence to buy and yet they choose to hide it :eek:

There is so much wrong with the site in question from the marketing and retailing points of view that a silly & ultimately pointless Security Metrics Certificate is the last thing they should be worrying about IMHO.

They have an astonishing value proposition that used properly would be enough on its own to give the customer the confidence to buy and yet they choose to hide it :eek:

you want to elaborate on what you mean?
We get quite a few orders per day every day as it happens.
The cert is there to give potential customers piece of mind. If its available to us we might as well use it than not.

For my mind, customers won't have a clue who SM are. Putting something like secured by Tesco for instance would have more clout as it's a brand near enough all of us have heard and trust

Ive been building sites for a fair few years now and have in the process looked at thousands yet this is the first site I have ever seen with a SM logo on it. As Darron says it is totally meaningless to your average shopper and again as pointed out SM dont even have a list of sites using thier logo - I suspect because everyone gives up or takes one look at the crap logo and certificate and removes it.

gabes secured by john wane logo gets my vote

gabes secured by john wane logo gets my vote
the new one with the golden padlocks ;)

golden padlocks
FANTASTIC - should increase sales no end.

you want to elaborate on what you mean?
We get quite a few orders per day every day as it happens.
The cert is there to give potential customers piece of mind. If its available to us we might as well use it than not.

No. If you spend a few minutes looking you will find it as it's hiding in plain sight.

I have no idea how many orders you get a day with your site as it is but I'll be willing to bet that you are leaving money on the table because you are focussing on unheard of & therefore pointless logos/certificate that don't register in the mind of the customer who is making the decision whether to purchase from your site or not. Getting 'on message' is far more important. Your site is also unbelievably thin on copy in it's product descriptions so plenty of work still to do IMO.

As Parklife has said
Putting something like secured by Tesco for instance would have more clout as it's a brand near enough all of us have heard and trust

No. If you spend a few minutes looking you will find it as it's hiding in plain sight.

I have no idea how many orders you get a day with your site as it is but I'll be willing to bet that you are leaving money on the table because you are focussing on unheard of & therefore pointless logos/certificate that don't register in the mind of the customer who is making the decision whether to purchase from your site or not. Getting 'on message' is far more important. Your site is also unbelievably thin on copy in it's product descriptions so plenty of work still to do IMO.

As Parklife has said

Sorry but how are we focussing on unheard of pointless logos/certs?
We need to keep PCI Compliant hence the reason for this post. Now that it has been sorted I wont be spending anymore time messing around with until it our next scan and it returns further vulnerbilities.

Bear in mind that this site is purely run by myself only, it is updated, monitored by one person. For the income we receive from the site am sure many people would be happy with what we receive, although yes there is always room for improvement. :)

We need to keep PCI Compliant hence the reason for this post. Now that it has been sorted I wont be spending anymore time messing around with until it our next scan and it returns further vulnerbilities.

Gavin, you've spent 2 days on the forum, and who knows how long before you posted, before you solved this problem. If SM throw up more vulnerabilities on their other scans, you could be in the situation where you have to write off 2 days every 3 months to be PCI DSS compliant.

If you'd gone done the PSP route you'd have to set it up and then... nothing, just process the orders. If your site becomes busy I doubt you'll have the time to stop processing purchases to bend to SM's will.

In addition, you've gone to all this effort and the SM logo image is tucked away in the bottom left, so very few people are going to see it anyway, let alone follow the link to a page that IMO looks home made.

Gavin, you've spent 2 days on the forum, and who knows how long before you posted, before you solved this problem. If SM throw up more vulnerabilities on their other scans, you could be in the situation where you have to write off 2 days every 3 months to be PCI DSS compliant.

If you'd gone done the PSP route you'd have to set it up and then... nothing, just process the orders. If your site becomes busy I doubt you'll have the time to stop processing purchases to bend to SM's will.

In addition, you've gone to all this effort and the SM logo image is tucked away in the bottom left, so very few people are going to see it anyway, let alone follow the link to a page that IMO looks home made.

Gavin, you've spent 2 days on the forum
You make it sound like am on here all the time for the past two days :eek:
I've spent I reckon max 2-3 hours on it, all in all, emailing our web host and SM to get the issues fixed.

If you'd gone done the PSP route you'd have to set it up and then... nothing, just process the orders. If your site becomes busy I doubt you'll have the time to stop processing purchases to bend to SM's will.

We actually do use a PSP for processing of orders.

In addition, you've gone to all this effort and the SM logo image is tucked away in the bottom left, so very few people are going to see it anyway, let alone follow the link to a page that IMO looks home made.

Unfortunately there is sod all we can do about the design of the page, thats upto SM, but I agree it does look lame. I think I may move the SM logo image elsewhere on the site that is more prominent.

You make it sound like am on here all the time for the past two days :eek:
I've spent I reckon max 2-3 hours on it, all in all, emailing our web host and SM to get the issues fixed.

Some of us are LOL. I didn't mean it to sound as if you were hounding people 24/7, but the site was not PCI DSS compliant for at least 48 hrs, so in theory you should have suspended ordering until it was sorted. I don't know many businesses that would be prepared to do that every 3 months, especially in today's climate.

Unfortunately there is sod all we can do about the design of the page, thats upto SM, but I agree it does look lame. I think I may move the SM logo image elsewhere on the site that is more prominent.

Yes there is, don't use them... Not the answer you were looking for I'm sure. :D I don't think moving the logo up is necessarily a good idea. You want customers to be hit with section titles and products first.

IMO the majority of online shoppers will assume that a professional looking site will be a safe place to enter their card details. People don't interrogate high street shops about how they handle card information do they?

It's only other sellers or the paranoid that will be looking for reasurrance, therefore you need to make yourself PCI DSS compliant in the simplist way you can.

IMHO

We need to keep PCI Compliant hence the reason for this post.

Don't we all?
Use a PSP & the useless Security Metrics problems will go away and then you won't wasting time doing this!

spending time messing around with until it our next scan and it returns further vulnerbilities.

See you are even expecting the idiots to 'highlight' more vulnerabilities :eek:

Bear in mind that this site is purely run by myself only, it is updated, monitored by one person

and how is this so different from most of the people on here?

Look Gavin. It really doesn't matter whether you spend 2 minutes or 2 days on Security Metrics or worrying about whether your site seems to be secure in the minds of the customer who has just found the perfect Philips kettle she has been searching for on your site it is your extremely valuable time WASTED.

If you simply lurked on here for an hour a day and then spent another hour implementing any 'best practice' you come across, and they are legion, your sales WILL go up and you can bin SM and all their vulnerabilities for good.

Here's a clue to the unique selling proposition or value proposition you hide on your website that would allay the fears of the majority of your customers if you had it 'front & centre' instead of the silly SM logo.
http://royal-enfield.com/

I must be psychic, I knew I was getting that answer! :o

Have a search around the forum for 'Security Metrics'.

Your so mis informed about what Security Metrics actually does,. Security Metrics doesn't come up with the vulnerabilities that companies need to be flagged for its determined by PCI (Payment Card Industry). Which was developed by all the major credit card companies to follow. For more information since you have none go www.pcisecuritystand.org. So they decide what to scan for and we are just the third party company that does the scanning for them. Plus our company isn't the one requiring anyone that excepts credit cards as a form of payment to become compliant its there bank. So any money charged is not by us but by the banks themselves.So get your facts straight first.

Don't we all?
Use a PSP & the useless Security Metrics problems will go away and then you won't wasting time doing this!

That is what I thought until I was informed that is not correct. We use a PSP (Secure Hosting) for our payments, but your site itself still needs to be PCI Compliant, this what Barclays Bank told us, no offence here but I tend to believe them.

Lmfao - who in thier right mind believes anything banks say these days - they have been shown to be the biggest bunch of muppets in business history.

Lmfao - who in thier right mind believes anything banks say these days - they have been shown to be the biggest bunch of muppets in business history.

Not me. Nor will I apologise for someone who comes and makes a fool of himself representing SM. You'd honestly think somebody employed by the Government would do things professionally;)

Whether you believe them or not, it was a case of us having to go with PCI compliance on the webserver even if we do use a PSP for taking customer card details, otherwise the bank would not agree to let us use them.

Just out of curiosity, how many sites that people have on here, are one man bands or actual businesses who employ x amount of employees?

Dont forget we are a distributor for Philips so we have to go through the correct channels, a joe bloggs who creates sites for small businesses in their home office can (if they so wish) skip certain procedures, and have more flexibility as to what they can and cannot do.

Gavin,

PCI-DSS compliance has been mandatory since April 2008. The bank are well within their right to refuse your business if you are not PCI-DSS compliant. It's bordering shameful that they refuse your business without signing up to Security Metrics.

To be perfectly honest, I'd be more worried that they'll screw you over than you screw them over:rolleyes:

The problem seems to be Barclays targetting their customers with what feels like Blackmail techniques that whether or not you use a PSP and are compliant or not you must notify Security Metrics anyway. The emails we have received have no contact for Barcalys only that of Security Metrics and having replied to both emails have heard naff all.
My apparent deadline set by Barcalys expires on thursday this week so we'll see what happens, they might set GAViN on me:cool:!!!

Well sm can go away - the three clients I had using barclays have now moved to actinic secure payments which is far far better. I suspect that barcoay will loose more clients than they keep with these bully boy tactics by sm.

I used to recommend barclays as a psp but no more. And gavin the one man bands you talk about are barclays bread and butter - All my clients made more than most of the banks did last year and I suspect more than you as well so don't come on here slagging off other actinic users and designers many many of which have helped you over the years.

It also shows how the banks still do their best to control other peoples businesses yet don't have a clue about controlling their own.

Unfortunately banks never lose, just get public money to bail them out and still get silly bonuses!!

Your so mis informed about what Security Metrics actually does,. Security Metrics doesn't come up with the vulnerabilities that companies need to be flagged for its determined by PCI (Payment Card Industry).

SM - LMFAO perhaps if you had people that new what they were talking about you might be taken seriously, try searching the forum - it is clear SM have not got a clue half the time.

Some members are more upto date as to PCI-DSS than people in your organisation. If you know who should and who should not have it then its your job to inform the bank they have it wrong - oh but then you would not get any money for that :rolleyes:

Whether you believe them or not, it was a case of us having to go with PCI compliance on the webserver even if we do use a PSP for taking customer card details, otherwise the bank would not agree to let us use them.

Just out of curiosity, how many sites that people have on here, are one man bands or actual businesses who employ x amount of employees?

Dont forget we are a distributor for Philips so we have to go through the correct channels, a joe bloggs who creates sites for small businesses in their home office can (if they so wish) skip certain procedures, and have more flexibility as to what they can and cannot do.

Gavin i am a one man band, and no i dont require PCI-DSS as i use streamline, actinic payments and Protx (kite business)

What being a distributer for philips has to do with it i dont know? you lost me on that one

That is what I thought until I was informed that is not correct. We use a PSP (Secure Hosting) for our payments, but your site itself still needs to be PCI Compliant, this what Barclays Bank told us, no offence here but I tend to believe them.

It's a shame really but you carry on - PCI-DSS is credit card company led, as all ready mentioned not a bank led scheme and barclays obviously go hand in hand with SM for not understanding requirements of a scheme they are impelmenting. personally i would have moved to someone that does understand it.

My letter from streamline told me if i used a PSP then i need to take no action providing my PSP is security tested. That was good ienough for me

Just out of curiosity, how many sites that people have on here, are one man bands or actual businesses who employ x amount of employees?

You really aren't getting this are you?

It's got nothing to do with size of business, whether it has employees or not or it's what the Americans call a 'mom & pop store'.

I own two companies and am a partner in a third. They bank with two different banks and NEITHER of them have FORCED any of them to use Security Metrics totally pointless service. They use Worldpay, who are compliant, as the PSP for all three.

Barclays are obviously not aware of the rules, surprise surprise. I don't personally read the news any more but even I am aware the banking giants are in dire straights because of incompetence.
The quicker one of them goes to the wall the better IMO.

But with that said it is entirely up to you if you want to go along with Barclays and their trust in Security Metrics. If you do you SM will always find 'vulnerabilities' for reasons already made clear on this thread and many others.

Best of luck.

For anybody who is reading this thinking that because Barclays tend to publish the best transaction rates and this is a good enough reason to stay with them, despite being harassed by SM, think again.

Phone Streamline, they'll happily match the rates Barclays are offering, and they tend to know a bit more about the law than the latter.

Good job :)

I don't personally read the news any more but even I am aware the banking giants are in dire straights because of incompetence.
The quicker one of them goes to the wall the better IMO.


Derek, quick solution:- Don't, under any circumstances, pay your taxes this month, that'll sort them out when the Government doesn't have the money to bail them out....again :D

And finally gavin please don't post any more about sm and vunerabilities as no body here is interested.

I suspect that this year I will make more money than barclays - let's hope the government let them go bust which should have happened to all the other banks IMO.

For anyone who has letters from sm or barclays then perhaps they would like to get in touch with BBC working lunch and highlight the harrassment small business is still getting from bankers.

For anyone who has letters from sm or barclays then perhaps they would like to get in touch with BBC working lunch and highlight the harrassment small business is still getting from bankers.

Now that is a good idea, almost wish i had one now

My inbox now has a total of 4 security metrics emails or should i say blackmail letters!!

I just read that barclaus are being investigated for missleading investors - sound familiar

For anyone who has letters from sm or barclays then perhaps they would like to get in touch with BBC working lunch and highlight the harrassment small business is still getting from bankers.

Just emailed them!!

Working lunch are doing a live show at the trafford center this Wednesday if anyone is in the area.

Anyone wanting to complain about SM could try https://www.pcisecuritystandards.org/index.shtml and use the ASV feedback form

Indeed, Jeremy Clarkson might have some wise words to share:p

let a bank go under would have been and even bigger problem than bailing them out. I sometimes wonder if people actually realise the knock on effects of a collapse in the banking industry.

The only way out is to shore them up then put them under strict regulation, including the offer of private loans and credit cards which have been knowlingly sold by all the banks.

The only way they understand is to put levy hefty fines. Unfortunately this is not an option these days as its the tax payers money. But be assured when things recover you can bet the goverment will sell off there stake and thats the time to slap the fines for breaching regulations thats if they do

The truth is nobody knows how the worlds banking sytem works. As recent events have shown even the banks themselves don't have a clue.

As we live work and trade in a free market economy then surely it would be write and proper that if that market economy drive a business too the wall it should go under.

Woolworths has vanished. As have many others big companies. Doubtless there will be even bigger companies following their route out of existence. A bank is a financial company so why should banks be immune from this process?

I agree a large bank going under would be painful but would it be any more painful than giving them billions of pounds of taxpayers money just to keep them in existence. The banks are NOT lending anyone anything so how have the billions & mergers actually helped the situation?

I agree a large bank going under would be painful but would it be any more painful than giving them billions of pounds of taxpayers money just to keep them in existence. The banks are NOT lending anyone anything so how have the billions & mergers actually helped the situation?

It would be more than painful - and this is the part people do not understand. I would be interested to know what you would do by letting the banks go under. When you have 15 million people with no money and companies cant pay people because

a) when a bank go's bust everything is frozen, this includes all monies
b) there is no BACS system
c) no direct debits / standing orders
e) no savings

need me to go on, if you aint happy vote them out you have not got long to wait and trust me they would all have done the same thing

It would be more than painful - and this is the part people do not understand. I would be interested to know what you would do by letting the banks go under. When you have 15 million people with no money and companies cant pay people because

a) when a bank go's bust everything is frozen, this includes all monies
b) there is no BACS system
c) no direct debits / standing orders
e) no savings

need me to go on, if you aint happy vote them out you have not got long to wait and trust me they would all have done the same thing

As I said very painful. In fact very very painful if you had your money and finances tied up in that bank.
But what has the bailout and merger achieved?

About as much as the 2.5% VAT cut IMO.

As I said very painful. In fact very very painful if you had your money and finances tied up in that bank.
But what has the bailout and merger achieved?

About as much as the 2.5% VAT cut IMO.

you have still not grapsed it, the banks all lend to each other so ermm it would bring down another one then another and oooh, were back to bartering

this is not a new thing http://ideas.repec.org/a/mcb/jmoncb/v28y1996i4p733-62.html

as for not voting, thats your choice, however if you choose not to then you can hardly make a comment IMHO

Of course the banks lend to each other. How many large banks, worldwide, have gone to the wall in recent times without seeing a domino effect that you fear might happen actually occur?

I have as much knowledge of banking as the next man, woman or person, but I cannot accept that it is right and proper to allow banks or any other financial institution to get away with gross incompetence and a taxpayer bailout of gigantic proportions and then be allowed to carry on with their current 'no lending' policy. It's madness.

The banks are NOT lending anyone anything?

Untrue, what the problem is, is that people and businesses alike are too scared to borrow at the moment as nobody knows whats around the next corner so less people are actually going to the banks and of those that do and get turned down, they are getting turned down for the right reason, that their business can't substain the added cost of a loan. We are actually seeing banks being responsible for a change.

No matter what any goverment does nothing will get people to borrow if there's a chance next week they'll be jobless. The problem with this recession is whatever positive news comes out each day the media gives more air/page time to the negative issues and until there's a stop to this the country will be on its knee's.

If there is a week of good news regarding the economy like house prices starting to rise or a week or to of good weather it will get people reaching into their pockets. The majority of our customers don't seem to think the recession is as bad at whats reported and we are selling newborn baby tee shirts at up to £35 a time and the people buying these aren't the most well off, just people with good taste and not listening to the doom and gloom brigade!

Actually they have all been supported by bail outs either from other banks or goverments. The brand might not exist but they still do

Your original statement was that gordon brown did it because he was scottish and so was the banks roots - even though HBOS actually means halifax bank of scotland so was actually both.

I made my assumptions based on the knowledge i have, as to how the banks are run has nothing to do with the rights and wrongs. So far we have dragged all sorts of other factors into this that actually have no bearing on the comments you made.

I think we all agree who is responsible, and the law should be changed so these people loose everything, why should they still have these great houses and cars

The majority of our customers don't seem to think the recession is as bad at whats reported

I concur. My customers clearly think the same.

I agree that the banks are at last trying to act responsibly which is welcome even if its 'shutting the gate after the horse has bolted'. Lending mortgage money to people who would never be able to pay it back was foolhardy at best and barking mad at worst.

I sincerely hope that the fallout from all of this is that we end up with a flexible measured risk banking system that treats each case on it's individual merits instead of the 'formula' approach to lending. It's just that I cannot see any evidence that these massive UK banks can be flexible. I hope they prove me wrong.

The problem with this recession is whatever positive news comes out each day the media gives more air/page time to the negative issues and until there's a stop to this the country will be on its knee's.Just heared a prime example of this on Radio4 - they went on and on about 450 jobs being lost at Mini BMW and a loacl council BUT only mentioned in passing that KFC were creating 9000 jobs (presumably because people are buying loads of food)

Just heared a prime example of this on Radio4 - they went on and on about 450 jobs being lost at Mini BMW and a loacl council BUT only mentioned in passing that KFC were creating 9000 jobs (presumably because people are buying loads of food)


I heard this too, a £150 million pound investment in 300 new fast food outlets. And yes it was a passing comment from the tv aswell :rolleyes:

But what has the bailout and merger achieved?
Millions upon millions of people living in the UK losing all of their money, perhaps??

I heard this too, a £150 million pound investment in 300 new fast food outlets. And yes it was a passing comment from the tv aswell :rolleyes:

I actually sat through News at 10 last night to see if there was any mention... and there wasn't.
Mini agency workers losing jobs
Jade Goody's battle with cancer
Predictions of how long and deep the recession will be
Gordon has no regrets about the bank merger
Various other doom laden snippets

The only moment of what would pass for 'light relief' were it not that the consequences of not having the right skills meant loss of life was when an American soldier stopped shooting at an invisible enemy and said
"We have the most advanced technology in the world with helios and heat cameras and we cannot find one man on this hill throwing mortar bombs at us"

Not a single word about a company investing £150 million creating 9000 jobs :( disgusting.

Great news for junk food fans and bad news for chickens.


*wonders if a "bucket" counts towards his five a day" :rolleyes:

Contrary to the popular misguided belief with members of this forum, using a PSP does NOT get you off the hook with PCI-DSS at all. A simple script injection on your own site could easily present your customer a phony PSP phishing page to and therefore you would not be PCI-DSS compliant and your company would be liable. You must also use SSL or appropriate operational and technological processes and procedures to protect data including but not limited to customer name, address and what they bought to safeguard against the unauthorised access or unlawful processing, or disclosure, of personal information.

Are you having a kitten?

Let's assume you've been sent by another one of the banks agencies. So what you're telling me is if I want to be PCI-DSS compliant, I have to pay you to regularly scan my site and produce issues that don't exist?

Pfft, these scam agencies can go spin :)

Contrary to the popular misguided belief with members of this forum, using a PSP does NOT get you off the hook with PCI-DSS at all. A simple script injection on your own site could easily present your customer a phony PSP phishing page to and therefore you would not be PCI-DSS compliant and your company would be liable. You must also use SSL or appropriate operational and technological processes and procedures to protect data including but not limited to customer name, address and what they bought to safeguard against the unauthorised access or unlawful processing, or disclosure, of personal information.

and you are..??
And this information is based on...?
Your definitive backup proof and documentation is at www..... ?

No one is going to take any notice of you if you just come and post a block of 'words' like that, without backup information we can all study ourselves!

present your customer a phony PSP phishing page

So you wouldn't be using a PSP would you? :rolleyes:

From the PCI website:

"Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data?

PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. However, under PCI DSS requirement 12.8, if the merchant shares cardholder data with a third party processor or service provider, the merchant must ensure that there is a contractual obligation for that third party processor/service provider to adhere to the PCI DSS and that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the third-party processor/service provider's compliance with PCI DSS via other means, such as via a letter of attestation."

For the avoidance of any confusion, the PAN is the big number on the front of the credit card.

Gavin with another guise protecting his commission?

and you are..??
And this information is based on...?
Your definitive backup proof and documentation is at www..... ?

No one is going to take any notice of you if you just come and post a block of 'words' like that, without backup information we can all study ourselves!And you are? It's not Rocket Science Tracey, if your site is not PCI-DSS compliant and hacked and your customer inputs data in to a phony PSP phishing page and there data is then in turn used for fraudulent activity you are liable not your PSP. I for one am less than willing to take the advice on matters of such importance such as PCI-DSS compliance and our liability from the "cough cough" ecommerce professionals who frequent these forums.

I would also suggest you contact your PSP assuming you are using one regarding your liability if in the event that your site is hacked and customer inputs data in to a phony PSP phishing page. Quite obviously your PSP will not be liable should this happen as the data was obtained from your site not theirs, perhaps that’s a little food for thought for you?

I would also suggest a good start for you regarding research would be https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf.

So you wouldn't be using a PSP would you? :rolleyes:
And therefore be liable for the loss and damages.
From the PCI website:

"Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data?

PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. However, under PCI DSS requirement 12.8, if the merchant shares cardholder data with a third party processor or service provider, the merchant must ensure that there is a contractual obligation for that third party processor/service provider to adhere to the PCI DSS and that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the third-party processor/service provider's compliance with PCI DSS via other means, such as via a letter of attestation."

For the avoidance of any confusion, the PAN is the big number on the front of the credit card.

And this resolves the problem and removes your company from being liable should your site be compromised and your customer inputs data in to a phony PSP phishing page how exactly?

Yes if the system be working correctly, your site is not compromised and the customers data is obtained from the PSP they are liable but that does "not" cover you should your site not be compliant and is compromised and the customers data obtained from a phony PSP phishing page.

Simon my advice to you is to go and study the PCI-DSS properly, then come back with the factual information

Mark already pasted the information, and you can read in to any documentation or legislation what ever you like.

These muddy waters just keep getting muddier.....

These muddy waters just keep getting muddier.....
Most of the time by companies trying to gain from it. I presume simon works for SM

I would surely love to see someone explain how they are going to make a script injection, im not saying it cant be done i would love to see how it is done on an actinic site.

Most of the time by companies trying to gain from it. I presume simon works for SM

I would surely love to see someone explain how they are going to make a script injection, im not saying it cant be done i would love to see how it is done on an actinic site.

Are you telling me that there are not vunrabilities within for example, PHP, Apache, MySql, Cpanel, or Plesk that would allow hackers to change files on the server? Here is one example of a current security issue running on the cpanel forum :- http://forums.cpanel.net/showthread.php?t=62821

Here's an idea, how about an Actinic Payments spokesman letting us all know what liability they accept if a client using Actinic and Actinic Payments as their PSP are compromised and their customer inputs their credit card details in to a phony PSP phishing page from a hacked clients website and those details are then used fraudulently.

Who's liable, Actinic Payments or the website?

Simon, your argument is probably the worst I've read on the subject of PCI-DSS.

Somebody with the knowledge can easily hack a server, edit the html files as appropriate and send the unsuspecting customer to what you would describe as a 'phony psp' site - all within minutes. I know, I've seen it done - hence why I wouldn't recommend hosting security-purposed websites with Hostgator. That's another story.

What do your company (Not Bcomp 77 Ltd, they don't employ 'Simon') do - scan the site you're paid to security check on a constant basis, since hackers can strike within minutes, if not seconds?:rolleyes:

Ok so let's assume you work for sm and PCI has been applicable since last April why has barclays etc not suspended the merchant accounts of any actinic users.

Simon, where people like yourself fail so miserably is communication. You come on here talking about things, which could all be true and something we should all take advice from, however you get people's backs up by trying to tell us how right you are and how wrong we all are.

If what you say is true, then put your full name, your phone number, your email address, your company name and your web address for people to contact you and address any issues they may have. Anything less and you are not doing the job you think you are. Surely you have a moral and professional obligation to do this as a security expert?

Stop adding to the muddy waters and start solving them, cos you are not helping at all.

Stop adding to the muddy waters and start solving them, cos you are not helping at all.

Add my vote please?

*What? This isn't the wish list ooopps *

Are you telling me that there are not vunrabilities within for example, PHP, Apache, MySql, Cpanel, or Plesk that would allow hackers to change files on the server? Here is one example of a current security issue running on the cpanel forum :- http://forums.cpanel.net/showthread.php?t=62821

Here's an idea, how about an Actinic Payments spokesman letting us all know what liability they accept if a client using Actinic and Actinic Payments as their PSP are compromised and their customer inputs their credit card details in to a phony PSP phishing page from a hacked clients website and those details are then used fraudulently.

Who's liable, Actinic Payments or the website?

Why actinic? your logic applies to others PROTX, World pay e.t.c

Im confused, so you agree every software has some form hole, i think we all accept that, but having a security scan then makes this all go away then? so you passed it on monday, cpanel / plesk, windows release a patch which has another hole in it on tuesday what happens for the next 3 months until your next scan? Are SM going to take the hit then, well they failed not the website or the PSP

So what you are saying is all the banks should pull the plug on every company that has not a security check carried out on their servers. Oh and in reality shared hosting is not going become compliant, so everyone needs to move to dedicated servers aswell.

We have a site owner, a hosting company and a payment gateway all in the mix. The hosting company and the payment gateway can pass on blame to the site owner if something breaches their systems. It's a rather failsafe way of operating a business. Can't think of too many businesses that can get away with such blame free methods.

Does a server hack occur as often as Haley's comet appears Simon or more common that that? once again an area where you could state facts and not ramble on about how wrong people are. Paint the picture or we are all looking at a blank canvas, no matter how much you talk.

I think there is a confusion here between hacking of a site and PCI compliance:


PCI Compliance only applies to sites which collect card data, which means the actual numbers. If your site doesn't collect card numbers then it doesn't need to be compliant. PCI themselves make this crystal clear.

If your company collects card details (say over the phone) then you need to be PCI compliant (means of storage, PC network if used for storage etc), but your website still does not need be if it doesn't collect card details or form part of the storage process.

If any website is hacked which leads to the skimming of card details by another website, the question of liability is an interesting one, however if your website doesn't need to be PCI compliant because it doesn't itself collect card details (see first point), then PCI compliance is wholly irrelevant.


PCI compliance of websites which collect/store data, and liability of website owners whose websites do not require PCI compliance, but which are hacked, are two completely different issues.

Actinics version / interpretation http://www.actinic.co.uk/services/pci-dss.htm

interesting comment made here "Royal Bank of Scotland/Natwest/Streamline and HBOS have made clear statements that a merchant can depend on the compliance of their PSP. We are in the process of trying to obtain similar statements from other banks."

And simon posting a link to the pci website that tells you what to check to ensure compliance is a bit pointless really, the debate is who is and who is not. Not what to check for :rolleyes:


Stop adding to the muddy waters and start solving them, cos you are not helping at all.

Lee i think he took your advice, not prepared to give his full name, and company so went off

Why actinic? your logic applies to others PROTX, World pay e.t.c

Im confused, so you agree every software has some form hole, i think we all accept that, but having a security scan then makes this all go away then? so you passed it on monday, cpanel / plesk, windows release a patch which has another hole in it on tuesday what happens for the next 3 months until your next scan? Are SM going to take the hit then, well they failed not the website or the PSP

So what you are saying is all the banks should pull the plug on every company that has not a security check carried out on their servers. Oh and in reality shared hosting is not going become compliant, so everyone needs to move to dedicated servers aswell.

The simple fat is simple, all ecommerce websites are required to pass PCI-DSS or they will be liable in the event of a security breech regardless of the payment method they use. I’m very sorry for you that in order to be compliant you need to maintain security, I’m sorry if that’s an inconvenience to you and I’m sorry that running an ecommerce site requires that you take security seriously and not simply assume you can pass the buck to your PSP.
I simply used actinic as an example in the hope that someone from Actinic Payments would confirm who is liable in the event that a site is compromised, naturally the same applies to any other PSP.

Simon, where people like yourself fail so miserably is communication. You come on here talking about things, which could all be true and something we should all take advice from, however you get people's backs up by trying to tell us how right you are and how wrong we all are.

If what you say is true, then put your full name, your phone number, your email address, your company name and your web address for people to contact you and address any issues they may have. Anything less and you are not doing the job you think you are. Surely you have a moral and professional obligation to do this as a security expert?

Stop adding to the muddy waters and start solving them, cos you are not helping at all.
Well having looked at a vast selection of your posts Lee it's quite clear who it is that deems themselves always right never wrong. I would suggest your comments such as “where people like yourself fail so miserably is communication” and “you get people's backs up by trying to tell us how right you are and how wrong we all are” could be referred to as “pot calling the kettle” and perhaps it would be advisable that you take a look in the mirror.

The fact is all ecommerce sites should be PCI-DSS compliant regardless of if they use a PSP or not and any site that isn't PCI-DSS compliant at the time of a compromise to their ecommerce site are liable and any professional or self proclaimed professional such as yourself advising client otherwise should be held accountable but sadly that would not be the case and it’s your clients who trusted and listed to your misinformed advice that would suffer the consequences..

You ask me for the answer? The answer is simple sign up to a scanning service and get your ecommerce store PCI-DSS compliant. It’s not even as if a scanning service would cost a single penny and even on a shared hosting environment

PS: Who said anywhere I was a security expert? I’m simply a site owner who has managed to pass PCI-DSS and now a user of these forums posting relivent information whilst not attacking other users in the process. Just because the penny has dropped for you that your advice is complete nonsense regarding a websites security and need to be PCI-DSS compliant thats not really my problem but at least the penny has dropped and you will now be a little more informed when advising others.

interesting this is from Barclaycards website

" I use other companies and suppliers to process card payments on my behalf and supply services. Does PCI DSS affect me?

You are responsible for ensuring you are using a fully compliant solution for managing your card data which includes your third parties. If your data is breached or stolen as a result of one of your third parties you will be held liable for that data breach.
Therefore any solution or service that is used by you to accept, process and/or store your customer card holder data must be compliant. It is your responsibility to ensure your supplier provides you with evidence of their compliance status and the compliance of their service or solution."

Well having looked at a vast selection of your posts Lee it's quite clear who it is that deems themselves always right never wrong. I would suggest your comments such as “where people like yourself fail so miserably is communication” and “you get people's backs up by trying to tell us how right you are and how wrong we all are” could be referred to as “pot calling the kettle” and perhaps it would be advisable that you take a look in the mirror.[/url]
Simple answer to this. Site of the Year 2008 (Edit. Sorry, that's 'The Specsavers Award' :D).

---Edit---

Thought I'd throw the rest in. Joint winner of the 'British Red Cross Award for Helpful Member to the Community' - very well deserved IMO. IMO the sites I have seen Lee develop are the best Actinic-based sites going, Atlantic Shopping, Quantum Electronics, Dude, etc.

You ask me for the answer? The answer is simple sign up to a scanning service and get your ecommerce store PCI-DSS compliant. It’s not even as if a scanning service would cost a single penny and even on a shared hosting environment
Let me guess...you're getting commission from ALL of the 'security scanning' services???

PS: Who said anywhere I was a security expert? I’m simply a site owner who has managed to pass PCI-DSS and now a user of these forums posting relivent information whilst not attacking other users in the process. Just because the penny has dropped for you that your advice is complete nonsense regarding a websites security and need to be PCI-DSS compliant thats not really my problem but at least the penny has dropped and you will now be a little more informed when advising others.
Be a man and stop hiding behind your virtual hard-man act.

The simple fat is simple

I'm glad you cleared that up for me LOL

The thing is Simon that you've kept everything about yourself a secret.

This leads me to believe either:


You are simply here to stir up trouble
You are here to drum business for some security check
You're not entirely sure what you are saying is true
You're a current member on this forum that knew his posts were going to piss people off and didn't want to effect any help you may need in the future



Which one is it?

Also, you do seem to be very much in the minority here and until you have proved what you are saying is true, members are going to follow the advice of established helpful guys like Lee

The fact that I have had a very successful actinic design service for a good few years now is yet again testament to the rubbish you speak i'd imagine, but don't take my word for it, speak to my clients. I think i did quite well in the recent forum votes for best of categories too.

Hmm do I believe a new forum ID hiding his true identity or look at facts in front of me. Hmm i wonder.

The worst part of it all is that you use the weak line of 'not being bothered about security' type affair, everyone is bothered about security, it's the rubbish and utter muddy information around that confuses the whole thing.

I'm glad you cleared that up for me LOL

The thing is Simon that you've kept everything about yourself a secret.

This leads me to believe either:


You are simply here to stir up trouble
You are here to drum business for some security check
You're not entirely sure what you are saying is true
You're a current member on this forum that knew his posts were going to piss people off and didn't want to effect any help you may need in the future



Which one is it?

Also, you do seem to be very much in the minority here and until you have proved what you are saying is true, members are going to follow the advice of established helpful guys like Lee

A: I run a business which is called BComp so nothing secret about that.
B: It opperates as an ecommerce business using Actinc.
C: My Name is Simon
D: Where have i linked to or recommended any security scanning services? Here's one just in case (It's FREE) www.qualys.com
E: What advice would i require exactly from the know it all's here that know nothing?

Here's one just in case (It's FREE) www.qualys.com (http://www.qualys.com)


Oh information from a company selling ermmmm security scans LMFAO give me your address i bet i can sell you something on your door step

interesting this is from Barclaycards website

" I use other companies and suppliers to process card payments on my behalf and supply services. Does PCI DSS affect me?

You are responsible for ensuring you are using a fully compliant solution for managing your card data which includes your third parties. If your data is breached or stolen as a result of one of your third parties you will be held liable for that data breach.
Therefore any solution or service that is used by you to accept, process and/or store your customer card holder data must be compliant. It is your responsibility to ensure your supplier provides you with evidence of their compliance status and the compliance of their service or solution."
And from this your leaning towards perhaps becoming PCI-DSS compliant?

Lee, I have posted the facts which are if a site is compromised they are liable if they are not PCI-DSS compliant and not their PS which was not compromised, you choosing to ignore that is entirly your choice but unfortunately it is your clients that will suffer should there be a security compromise with one of their sites and not you.

And from this your leaning towards perhaps becoming PCI-DSS compliant?


Keep up - i already told you what i had done, and also informed you that i have checked information, i have been for the last 18 months and as yet found nothing to tell me i have to become compliant. So i actually recon i have more of an understanding on the subject than you do.

Admit it you have not got a clue, however i notice you have yet to refute the infomation others and myself have posted that all clearly states it is not required

When you come back with a compelling arguement and factual statements let me know until then i have work to do and shall not waste more time

The scanning service we use runs daily which is not required but as it's free why not and at the very least it offers piece of mind to us. We have not had a single issue for well over 2 months which required any attention, the last issue was

Vulnerability: ICMP Timestamp Request
Qualys ID : 82003 CVE ID : CVE-1999-0524
Port : N/A

Diagnosis: ICMP (Internet Control and Error Message Protocol) is a protocol encapsulated in IP packets. It's principal purpose is to provide a protocol layer able to inform gateways of the inter-connectivity and accessibility of other gateways or hosts. "ping" is a well-known program for determining if a host is up or down. It uses ICMP echo packets. ICMP timestamp packets are used to synchronize clocks between hosts.
Consequences: Unauthorized users can obtain information about your network by sending ICMP timestamp packets. For example, the internal systems clock should not be disclosed since some internal daemons use this value to calculate ID or sequence numbers (i.e., on SunOS servers).

Solution: You can filter ICMP messages of type "Timestamp" and "Timestamp Reply" at the firewall level. Some system administrators choose to filter most types of ICMP messages for various reasons. For example, they may want to protect their internal hosts from ICMP-based Denial Of Service attacks, such as the Ping of Death or Smurf attacks.

However, you should never filter ALL ICMP messages, as some of them ("Don't Fragment", "Destination Unreachable", "Source Quench", etc) are necessary for proper behavior of Operating System TCP/IP stacks.

It may be wiser to contact your network consultants for advice, since this issue impacts your overall network reliability and security.

This took our hosts all of 2 minutes to resolve and for us to remain compliant, so far being compliant has not cost us a single penny and surely despite all the childish tantrums being PCI-DSS compliant and resting easier in that knowledge is better than being liable for potentially a fortune?

Simon, if you are who you say you are, give us a link to your Actinic E commerce PCI-DSS Compliant website and let us learn form you...

Where's GAViN when you need him??

What does it achieve looking at my site? It Achieves nothing and as for learning surely the fact you are now even slightly considering the ramifications on your own business or your clients business is enough and if any of you now take security seriously and not simply assume the responsibility of your business lies with a third party then that is more than enough of a wake up call.

The simple fact here is all anybody needed to do was call or email your PSP support and ask if they are responsible in the event that your site is compromised via some form of hack and a customer’s are captured using a some form of script injection and the customer being presented with a phony payment phishing page and then their details are used fraudulently who is responsible you would all have the answers so many here are so confident they already have and therefore I have no idea why they are so upset.

Hope you're not sitting in the security-scanning firms offices, vBulletin has an inbuilt IP-tracker - I'm surprised Actinic haven't already clicked on to your evident tirade against Actinic Payments and the use of Actinic software.

This is almost like a History lesson, where the lecturer says "On April 30th 1945, Adolf Hitler committed suicide after learning of the advances made towards Berlin". The kid asks "How do you know he killed himself?" "Because I do".

That's the same scenario you're giving - without proof of what you have to say, your revolution is neither here nor there.

People in glass (or is that dolls Simon ;)) houses shouldn't throw stones.

How topical, just got yet another email from Barclays

Dear Sir/Madam,

Further to our previous communications regarding the requirements of the Payment Card Industry Data Security Standard (PCI DSS) programme, you need to inform us urgently of the steps your business is undertaking to become compliant under the rules of the scheme.

If you require any further information about PCI DSS compliance and your obligations under the scheme, please cut and paste the following link into your browser:

http://www.barclaycardbusiness.co.uk/information_zone/security/pci_dss.html

Why you need to be Compliant
If your business is found to be non-compliant with PCI DSS and customer data which you or your third parties have handled is proven to have been compromised, stolen or used fraudulently, you are liable to receive fines from Visa and MasterCard , in addition to facing substantial costs for forensic investigations, issuer losses, and reputational damages.

What you need to do
If you have already completed a Self Assessment Questionnaire or used an alternative Qualified Security Assessor, please send your evidence of PCI DSS compliance by email to pci.barclaycard@securitymetrics.com, attaching the relevant documents that prove your compliance including your self assessment questionnaire v1.2 A, B, C or D, and network vulnerability scans if you have an e-commerce presence.

Need help?
Our accredited partner, SecurityMetrics, can help you complete your SAQ. To enrol simply click on the link from the Barclaycard website in the useful links section. Please note a small charge applies for this service.

Alternatively, if you would like to contact a Qualified Security Assessor (QSA) to help you complete your assessment please visit https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf

For further information or advice please call our accredited partner SecurityMetrics on 0844 561 1662* (lines open 09.00am to midnight Mon-Fri. Please have your Merchant Identification number to hand when you call).

Regardless of whether you enrol with SecurityMetrics for their technical services or just notify them of your compliance status, we ask that you please respond to them by February 19, 2009.

We thank you for your cooperation in making credit card transactions more secure for you and for your customers.

Yours faithfully,



PCI DSS Programme Director
Barclaycard

Simon

I don't agree and you have failed to answer any questions put to you, please go and annoy another forum with your wild claims. You have been asked to back up what you say, not becuase people are considering it but because people know your talking rubbish.

the knowledge on this forum heavely out ways yours and as such i doubt anyone would be taking you seriously.

...assume the responsibility of your business lies with a third party...
Of course that's what you do when you rely on an external firm to tell you daily that you're PCI DSS compliant. What if your compliance checker itself is hacked / erronous / incompetent / fraudulent?

Blimey!
Mr Know All Hack

I like this term even if it meant to be derogatory :D.
Lee has helped more people with his no bullshit, 'call a spade a spade' approach to answering some truly inane questions. He along with many many others does this day in day out for no financial recompense.

He doesn't need defending but I thought I'd chip in anyway.

OK had a short email from the PCI-DSS council and this is what they said to my question about ecommerce sites using a PSP and the need for PCI-DSS

"All merchants who store process or transmit credit card data must be PCI compliant. However, PCI does not manage the merchants compliance. This is done at the Credit card brand level. I would recommend you go the credit card brand websites for that type of information."

so i presume this would mean my merchant service provider - Streamline in my case or VISA and Mastercard, who all say it is not required


And streamline tell me this

If you use a PSP and your integration method means that your web shop software and back end systems do not store the card data on your systems then compliance with the standard will be undertaken by your PSP. You should ensure that they are compliant or working towards compliance.

However, Streamline would recommend that you still carry out a review of your general data security practices on a regular basis.

However if you use a PSP but your integration method still enables you to capture the card details on your web shop software and back office systems then you will still need to comply with the standard. If you have any doubt on the nature of your PSP integration please contact your PSP to confirm your type of integration and if the standard applies to you.

If you also process face to face and/or MOTO transactions it is likely that you will need to become compliant with PCI DSS irrespective of your PSP integration method

But i guess Simon this is all wrong aswell?????

Of course that's what you do when you rely on an external firm to tell you daily that you're PCI DSS compliant. What if your compliance checker itself is hacked / erronous / incompetent / fraudulent?

It would be their responsibility.

Bloody hell
I've just Googled on bcomp pci compliance and page 7 of this thread is already top of the search :eek:

Visa's take on the situation:

http://www.visaeurope.com/documents/ais/merchants_guide.pdf

Quote:

"For example, if you do not actually store any cardholder account data in your own systems, it will be up to any payment service providers that process transactions or access card data on your behalf to validate compliance."

It would be their responsibility.Now here's a chance to prove that. Please post an authoritative statement from a compliance checker stating that they would indemnify their customers against all losses caused by their errors / omissions. I bet you'll find terms and conditions stating just the opposite.

Good point, I suspect they will have same clauses as an MOT station in that 20 seconds after your car passes an MOT, your wheel can fall off and your brakes can fail with little or no comeback. How could a free service ever indemnify you against anything. The whole thing seems to be one big farce, came into force 10 mths ago, thousands not doing it, who has heard of anyone getting caught by it yet? anyone?

I'm closing this thread.

There are a number of good points made by all of the parties contributing.

However, unfortunately the tone of many of the postings was more conducive to heat rather than light.

I've now edited the thread to remove the off topic comments and insults. I've tried to keep the gist of what everyone said, if I've misinterpreted anyone, please email me at cbarling (at) actinic.co.uk and I will endeavour to put it right.

If we continue in a new thread, please can we conduct the discussion without the personal abuse?

Chris
Actinic

Please see http://community.actinic.com/showthread.php?t=41266

Chris