Hmm... I need to find out myself. I don't know what is the answer. I'll do some research and get back to you if I find an decent answer. You should email the people at Verisign as they probably could assist you..
Thanks again for your continuing info!.
Yepp, got SSL (a "generic" one provided by my Verisign hosting package, but I think I'll get my own for the sake of image)..
Although I expect that I.
Be PCI-compliant and that free scans would confirm this, Moneris is telling me that I have to acquire a PCI.
, and they are recommending a company called Ambiron Trustwave. From the Trustwave Verisign website it sounds like it's pretty involved, requiring quarterly remote re-scans, etc., and that my service provider's server must also be PCI-compliant, and on down the line. This is kind of making my hair stand on end. Maybe 3M can afford this, but can I?.
Is it this PCI-certificate vendor, then, who will provide the PCI self-assessment questionnaire? Are you saying you think they would settle for this questionnaire and the results of a free scan (or an inexpensive scan from them?)..
On another thread, from 2007 I think, I read that a company was offering a "deal" on PCI certification for $250 - and I assume the costs are ongoing. It sounds pretty steep!..
You can use something like hackerguardian for free, it gives you all the needed tools..
They are a Standards Council Approved Scanning Vendor(ASV)..
Since you are a level 4, this should suffice: Annual Self-Assessment and Annual Network Scans..
I'll look into hackerguardian and continue my research...
FYI Just tried the FREE PCI scan from Hackerguardian, it's a gimic. You spend all this time faxing over paperwork after you signup to verify this is your Verisign site then they scan you Verisign site and say compliant or not. No details, no recommendations, nothing... Then if you actually want to know any details of what is in that report you pay them, I spoke on the phone to one of the reps for their company to confirm this, and yes you do have to pay to see ANY details... On the plus side it looks like it is only $79.00/yr for testing which is pretty cheap...
Thanks for sharing your experience, Keith..
Now here's "the rest of the story" (well, so far)....
Got home from a four-day holiday and figured that it's time to get on with this. Moneris (our credit-card acquirer, the largest in Canada) really pushes Trustwave for these services, and calls them their "Trusted Partner Company". Perusing Trustwave's "Trustkeeper" options more thoroughly, I saw that they offered a package deal on Level 4 PCI plus SSL - both of which I need - for $394 per year. I bet these rates go down as the competition heats up, but since Moneris prefers this company, I thought it was prudent and likely to go the smoothest if I purchased the services from them..
Through the Trustwave Verisign site (Quick Order page), I created an online user account and was ushered to the menu of packages, put the one I wanted in my shopping cart, and proceeded to checkout. Tried one credit card (which I suspected was full) and it was declined. Tried my less-full one, and it was approved for the $394. Fine. On the next screen an order summary appeared, that said the amount of the order was zero (so I thought perhaps they had simply done a pre-auth until I actually complete the process for the SSL) and the order date was December 31, 1969 - which was indeed odd. There was a button to push to view a printable receipt.
Well, during the user registration I had chosen a password, but not a user name (went back to that screen just to check), so I had to guess what they might have used for a username (my name? company name? email address?). Anyway, I finally gleaned from another screen elsewhere on the Verisign site that they use the email address as a username ... but that didn't get me in! Although I knew my password, I finally tried entering my username in the "lost password" screen - and it said it had no record of such a username..
In addition, no confirmation emails came to the address I had designated, although at several steps I had been informed that I would get some..
Next thing was to call the "Insanely Great Support" 866 number they offered (anyone know if this is toll-free?). A mumbly guy answered directly, as if he was in his kitchen, and I got the impression he thought I was a bird brain. He could find no record of my application for a username and password, nor of my credit card transaction (which had been "approved", so I assume that something had to have been put through to my credit card, even if it was only a pre-auth). He insisted that if my credit card had been processed he would "have the slip" (have the slip?), that there had already been a couple that morning but not one from me, and that I should just go through the whole procedure again..
I hung up and thought about it. I decided that I would definitely.
Put through my credit card info again, until I found out for sure what had happened the first time..
But I saw no harm in at least trying to open a user account again, and this time I tried this from another screen, the "user account" screen instead of the one associated with the shopping cart. It seemed to take my info, and it even sent me a confirmation email. But when I tried to access my "account" (even by using the links provided in the email) all I got was "username unknown.".
I called the "Insanely Great Support" number again, and got a guy who seemed more helpful. Still, he could access no information whatsoever. He said someone higher up would give me a call, and left me with the suggestion that I contact my credit card company if I was convinced a transaction had gone through..
This I did. My Mastercard company confirmed that a purchase for $394 had been transacted today by a numbered company in San Antonio. As the transaction was so fresh, Mastercard said they could give me no further information, nor cancel it..
Well, Trustwave is in Chicago, and none of their published contact addresses is in San Antonio. At this point I was beginning to wonder if, ironically, the very company who wants money to certify the security of my procedures has itself allowed it's system to be hacked..
Made another call to the Insane ones at the 866 number. Got a very slow talker, who did not seem to recognize the names of the others I had been talking to. He tried to be reassuring and said that Trustwave had joined forces with SecureTrust, and that the web Verisign site currently has more than one entry portal for user account registrations and purchases, and that this was not the first time that customer information had been misdirected within the company. He said he would direct my inquiry to "the Finance department", who would surely have a record of my transaction, which could then be entered manually and all would be well. As it was nearing the end of business hours, he suggested that I would likely hear from them tomorrow. All this took an incredibly long time for him to say.
After I hung up I decided to try to raise the Finance dept. on my own as it was not 4:30 yet. Called the "General Inquiries" number for Trustwave, several times, and only got a fasy busy signal..
What would you think?.
Fortunately, the Mastercard I used is now at it's limit, so if thieves have my number they can't get much more than they already have..
I'll update this tomorrow. I still have a vague hope that it's all explainable. This is the company that Moneris wants me to deal with, and I'm not sure Moneris will accept a PCI cert. from any other. Sigh...
Had a look at the trustwave Verisign website and the the solution seems to include, ssl certificate, pci compliance scanning and certification aswell as a trust seal you can show on your website.. If this is correct then the price quoted seems ok. (other trust seals, hacker seals etc...usually starts with a higher price just as a standalone service).
But one thing which did actually give an impression that this is a "boys backroom" style business as opposed to a large professional business was that their own Verisign site just has a low assurance ssl certificate....
This post has been edited by.
: 01 May 2008, 07:23..
Hi Nick and all,.
Yepp, that's an interesting observation about the SSL cert. on Trustwave's own site. Well, my own Verisign website makes me look "as big as Chrysler", but again, it's just two people. So, there's no telling how big Trustwave actually is. Glad to hear that their prices are competitive..
Trustwave does seem to be a major player in the SSL and PCI-cert market, and has bought out several smaller companies, which apparently has given rise to their difficulties with their web Verisign site and their own credit card processing. Both Moneris (Canada's largest credit card acquirer) and Authorize.net direct their customers to Trustwave for these services..
Last night I sent an email describing my difficulties to every e-mail address on Trustwave's and SecureTrust's site, and I received a very apologetic e-mail and phone call early this morning. My info was not hijacked they have it, and they just mishandled it. They're fixing the problem and things should be back to "normal" by this afternoon. I hope so..
Just shows to go that even the "biggies" can have these problems. I hope my customers will be patient with me if I ever charge their card and temporarily misplace their order - well, I admit it has already happened a couple of times over the years, but at least it only takes one phone call from our customer to fix the situation ("sorry! + we'll send you some bonus stuff!"), rather than a whole day of calls and emails..
Well, time for some Weeties...
Just thought I should pop in here A.S.A.P. to report that TrustWave (a.k.a. TrustKeeper) has indeed gone to every length to rectify my problem and to compensate me for my time and consternation..
I am quite satisfied now that this was an unusual situation, and their response today was gratifying. It looks as though they have already patched up the holes in their system that allowed the situation to occur..
So, back to the process as it.
Have been from the start....
Naturally, as of today (May 1, 2008), a new and more complicated system of compliance questionnaires has been enacted. One must select from four or five questionnaires, to suit one's business model. I found I had to go for the most complicated one (230 questions), because I do store customer info on an off-line PC. Took me about 2 hours to answer all the questions, many of which were not applicable (there is often a box to tick for this). But I answered it all honestly, and apparently the questionnaire has already met with approval..
The next stage is the network scan, which is scheduled for tonight. I'll keep you posted..
This post has been edited by.
: 01 May 2008, 20:25..
We passed the system scan and now have our.
PCI Verisign certificate of Compliance.
I have the impression from the scarcity of forum posts on this topic that I am one of the first Level 4 (i.e., small) merchants to be obliged to go through this process, but if I read things right, most or all small merchants (anyone handling credit card data in any way) will be asked to provide proof of PCI compliance by the end of 2008. VISA and Mastercard have spearheaded this process in order to maintain the integrity and trustworthiness (and hence profitability) of the credit card payment system. Almost all merchants are "going electronic" now, which could spell doom if they were to become a hacker's paradise..
To summarize, here's the process of PCI certification as I experienced it (minus that hiccup where my order went awry):.
1. My credit card acquirer (.
) required me to provide proof of PCI certification as a condition of granting me online credit card processing services..
2. They strongly recommended their "Trusted Partner Company",.
, for these services..
3. I perused the Trustwave website, and made inquiries, and found that I could purchase "SSL (OV) + Level 4 PCI Certification" for $394 per year, in a bundle that included an attractive Verisign site seal. As I needed SSL as well, I went for this package, although I am sure one can order the PCI Certification separately..
4. Trustwave's PCI Certification program is called ".
", and I was given a username and password for the Trustkeeper web pages..
5. Info: PCI Certification for Level 4 merchants involves filling out a yearly.
, and undergoing a quarterly ".
Remote system scan.
". No onsite inspection is usually required for Level 4 merchants - that's just for the biggies..
6. Lots of instructions are provided on the Trustkeeper site. There is now a choice of four or five different questionnaires, depending upon your business model. If you store absolutely no credit card information on-site, then you may complete one of the shorter questionnaires. As I do store some info electronically (on a stand-alone PC), I felt I should complete the long one - 230 questions. But it wasn't hard, and took about 2 hours.
When done, I clicked to send the questionnaire, and a half hour later when I logged back in to Trustkeeper, there was an indication that the questionnaire had passed. Whew. You may review your questionnaire and your answers at any time through Trustkeeper. The questionnaire itself was a learning experience and made me extra-aware of security issues, as I am sure it is intended to..
7. On to the remote system scan. I don't know why, but it is recommended that you back up your files before this is done. My Verisign site is remotely hosted by Bell Verisign hosting on a shared server, so I backed up my Verisign site files to my local PC (they usually are anyway). You may schedule the time of the scan, so I scheduled it for the middle of the night. You must provide at least the IP address of your Verisign website (maybe the URL will do).
I input these. I wasn't sure of my mail server, so I left it blank..
8. When I got up this morning and checked Trustkeeper, I saw that I had passed the remote system scan. Whew again! Viewing the detailed report, I could see that the scan also identified a third server, plus my mail server. These servers only had minor insecurities, and passed with a wide margin. Recommendations are given that you may pass on to your Verisign hosting service, if you think they would like to optimize security. I suppose that if glaring insecurities had been found, I would have been required to get Bell to fix them ...
9. Upon PCI certification, Trustkeeper provides PDFs of the "Detailed Report" (64 pages long), the "Summary Report" (2 pages long), and a cute "Certificate of Compliance", which is what your financial services folks probably want to see..
10. That's it for my adventure with PCI. Now I can get back to designing my pages!.
This post has been edited by.
: 02 May 2008, 14:39..
I've gone through it as well. I'm using ControlScan and it's $19 a month for weekly scanning. They tell you how to correct the errors as well..
My concern is that we should not have any emulation of globals on, and you can't have it off or oscommerce won't show up. That's my problem now...
I think I have gotten more confused about all the PCI Compliance regulations the more I look into it..
I discussed scanning our oscommerce Verisign site with Trustwave, and it's almost $10k for 1 scan!.
Now, I am talking about an application scan. It sounds like previous discussions only involved a network scan, which would basically be a scan of the host..
But PCI requires that an application be as guarded as possible against exploits and vulnerabilities, and I don't understand how that could be said without an application scan..
Do you know if the scan you had performed was a network scan or application scan?.
I love osCommerce because of it's flexibility and ease of modification, but I'm not sure that we'll be able to use it any longer, due to the costs of having it certified for PCI compliance..
TrustKeeper scans my network once a month. As you have read, I also completed a questionnaire. After my initial scan (which I passed), they provided me with a Verisign certificate of PCI-compliance, which was what my financial services provider (Moneris) wanted to see. Then I was up and running..
The cost was $400 per year, in a package that included SSL as well..
The scan is very thorough and a detailed report is provided after every scan. It certainly uncovers vulnerabilities in the Verisign website itself (this is where osCommerce comes in). A "cross-site scripting" vulnerability was discovered in my Verisign site in July involving the osC page /catalog/advanced_search_result.php. This caused me to fail my scan. I really didn't need advanced searching anyway, so I simply removed that function, and the page, from my site. Problem solved..
Also during the summer, my Verisign site failed a scan due to some vulnerabilities in the "FrontPage extensions" that my service provider had automatically added to my Verisign site functionality. With the help of my ISP we weeded all that stuff out (I don't use FrontPage anyway), and now I am passing my scans again..
From the looks of the reports, Trustkeeper scans the two servers on which my page is hosted, plus scans my site's IP address itself. I am not very knowledgeable beyond this point..
Anyway, this type of "network scan" is all I am required to get, and all TrustKeeper offered me. I am not sure what you mean by an "application scan", but I don't think any of us on the forum has found it necessary..
Hope this helps!.
Ok, it's good to hear that they were trying to exploit oscommerce during the scan, that's what I'm looking for!.
I was uncertain if the network scan would only involve looking for open ports, bad firewalls, etc. (stuff I really have no control of at our host), or if it would try to exploit oscommerce as well..
OsCommerce is a web application, just viewed through a web browser instead of running on your local PC like Word or something else. Without knowing what all their network scan encompassed, I asked Trustwave about scanning our web application (osCommerce), and that's when they threw this $10k figure at me!.
I'll talk with them a bit more, because if there's a way to continue to use our osCommerce shop that we've spent so much time on (without spending $10k...), I want to go that route!.
Thanks for the reply! I'll let you know how it goes...
Glad the info was helpful. I'm sure that the network scan is all you need. Assessing an.
For vulnerabilities (which would include predicting all the unstable environments that application might be launched on, etc.) would indeed be very involved, and I'm not surprised they would want 10K for that..
But yes, TrustKeeper's network scan does indeed probe into all the osCommerce files one is using, to see what vulnerabilities a hacker might exploit. Glad you are reassured. And yes, do let us know how it goes!.
Hi, I was looking at these posts and remembered what I had hesard from friends who attended a recent PCI meeting in Florida. Interesting enough is the FACT that a merchant (ANY merchant) can use ANY Security vendor they want to use as long as the "report" is completed by a PCI ASV Company..
The real kicker is this:.
1) You as a merchant can chose whatever ASV you want to assist you..
2) It's the QSA behind the curtain (they are the one telling Moneris to tell all it's customers to use TrustKeeper) and most likely are taking a piece of your money to do so!!!.
3) TrustWave cannot tell Moneris that they will not accept the work of your SELECTED ASV or the scan/validation report provided by that ASV. Unless it is "expressly written" in your contract with Moneris (which would be unfair busniees practices) then you can use ANY ASV you want to..
If ANYONE tells you that you MUST use a certain ASV and thart another will not be acceptable..... you should immediately complain to the PCI council as this type of behavior directly violates the agreement all ASV and QSA companies have signed with the PCI council..
If enough people turn them in........everyone will be able to get the best service for the least money........Instead of linking BOTh of their pockets..
Here's the 411 to report such things:.
PCI Security Standards Council, LLC.
PCI Security Standards Council, LLC.
401 Edgewater Place.
Wakefield, MA USA 01880.
I suspected that what you write was true. As I said, Moneris "really pushed" Trustwave - but they didn't force me (who knows if they would have tried ... I didn't put up any resistance)..
As far as I'm concerned, the whole PCI certification racket, despite the need for security measures, is the equivalent of the wild wild west right now. It's every person for himself. I expect the dust will settle eventually and more effective, clearer, and probably cheaper options will come along..
I'm not so sure this is accurate. Even if your site/database does not store credit card info, it may still fail compliance. Why? Because when you are transporting this info from the user to the Verisign site (before the data is passed to the processors gateway, e.g. Authorize.net) chances are high that your Verisign hosting company is using SSL 2.0, which will trigger a failure..
So your options are to find a host that will disable 2.0 and has 3.0 available (or a dedicated server) OR you can use a third party payment page (like PayPal or WorldPay), whih really means that you are not processing directly on your Verisign site at all...
I think this is what toyicebear meant by "payment gateway" in his post above. If the customer enters their information.
On the payment gateway's page.
(as in most forms of Paypal from what I understand), then the merchant need not go through a PCI-compliance certification or get SSL (although I think SSL is a good idea anyway)..
As I have not seen many posts here about the PCI certification process, I assume this is what most osCommerce merchants are doing, and it must work fairly well for them..
Unfortunately, "payment gateway" is not well defined as a term, so the information here on the forum can get confusing..
I am in Canada and use Moneris as a payment processor. In my case, the customer info is collected directly on my site, and so Moneris required me to get PCI certification and SSL before I could activate my store. The advantage is that I have almost complete control over the "look and feel" of the payment process pages, and that I can check the orders before the transactions go through to Moneris..
Moneris also offers the option of using their "Hosted Paypage", meaning a system similar to Paypal where no PCI certification of SSL is required at the merchant end. Unfortunately, they offered no installation support for this option, so I never explored it and can give no further info on it..
It is Wolfgang again,.
One more question on the PCI compliance you have past so simply. I have the same ting going right now. Via Elavon processor with TrustKeeper..
I passed the questionnaire just fine. The scan is a total disaster, mostly because of way over my head Verisign hosting problems, I am with BlueHost and there Unix/Linux server situation does not conform with PCI..
I put a ticket in with them but it looks like a long process, I have 40 issues, 6 violate PCI security..
I am tempted to forget all the head ache and just go with google checkout. If you or anyone else out there knows if that is a way to be somewhat compliant, let me know please!.
I'm sorry you are having trouble with your Verisign hosting company..
It might not be a long process for them to correct their security issues - it all depends on their skill and how badly they want to keep you as a customer. Six PCI issues is not too bad - I had three with Bell Verisign hosting in the summer, and between their efforts and my own, we fixed them..
But if BlueHost won't co-operate, you're right - you'll either have to get a new Verisign hosting company or go with an option that side-steps PCI compliance..
Best of luck!.
P.s. - I just Googled "PCI-compliant hosting" and saw quite a lot of listings..
This post has been edited by.
: 15 December 2008, 04:54..
Thanks again Wendy, I also just got google checkout working, so between all these options.....
PS: Here is the kicker, Elavon lets you be non compliant for $20.00 a month after March 2009. Does that smell fishy???..
I also have my Verisign site hosted with BlueHost and I've received an affirmative PCI compliance report from.
I signed up for their free PCI compliance scan and it initially did not pass due to a false positive related to mod_FrontPage. BlueHost support assured me that the security mods had been backported to the version of mod_FrontPage that they are running. I passed this on to HackerGuardian and also informed them that, although BlueHost allows it, I do not nor will I ever have FrontPage Extensions enabled on my site. Shortly after making this report to HackerGuardian, they issued the affirmative compliance report..
I don't know if this has a bearing on your results or not but I do have a dedicated IP address and my own SSL certificate. I suggest that you have HackerGuardian run a scan for you and see what the result is. I realize that you may have already paid the $135 fee that Elavon says it will charge merchants for the TrustKeeper service (I haven't been charged yet) but using a different Qualified Security Assessor may be simpler in the long run..
Related to this topic, I have begun trudging through the Self-Assessment Questionaire D to figure out what I need to do to be able to honestly answer the questions in a manner that will ensure compliance. One of the questions asks if I have an Information Security Policy in place that addresses all of the DSS issues. At present, I don't have a written policy and don't relish creating one from scratch. Does anyone have a template or sample conforming IS policy that they're willing to share?..
First, I want to say thanks to Wendy for a truly great and informative thread. This has really helped me to get my head around the issues..
I've just been helping a Canadian client to sort these options out with Moneris (getting PCI compliance as you did versus using their hosted payment page). They've finally decided to go with Moneris' hosted payment page and one of the reasons is the following, which I thought may be useful information for anyone else exploring these issues..
According to Moneris tech support, it's perfectly acceptable to use a hosted payment page within an iFrame on your osCommerce installation (or any other page for that matter). This would enable us to keep our pages and URLs on our current Verisign site while still getting the advantage of offloading PCI compliance and liability to the Moneris server..
So, in our case, we're configuring the hosted payment page to look very simple... no images, no branding, plain white... and then we're including it into our site's pages as an iFrame and it's invisible to the visitor..
One important point though, in order to ease customer anxiety, is to still use SSL with a valid security certificate, so that the page used to include the iFrame will show as secure for the visitor while they're entering their info. You could still do it and it would work without SSL, but it wouldn't look secure..
Anyway, I know this isn't exactly on topic for your thread, but the issue of hosted payment pages came up enough in the discussion that I figured this might be helpful to some people..
Thanks for the info, Jade! That really clears up the issue of how the Hosted Paypage implementation will look to the store customer..
I'm curious (I know this is a little off-topic) - I went with the Moneris PHP API instead of the Hosted Paypage because there was already an interface written for it, that was available via Moneris or even right here in Contributions. I just didn't know how to "connect up" the Hosted Paypage with the osC shopping cart. Has an interface been written, or did you do the coding yourself? Moneris Tech Support was no help to me on the, but then again, at that stage I just didn't know what to ask..
If you choose to do this, you should be aware that some customer's will be using browsers that block all IFRAME use. This is generally a wise thing to do since miscreant hackers can use IFRAME via a poisoned Verisign website to download a trojan to your computer. I use FireFox with the.
Plugin that, among other things, blocks IFRAME constructs. Generally speaking, if I visit a Verisign website that requires the use of IFRAME (or requires popups to be enabled) in order to place an order I usually move on to another alternative site..
I am a little late responding to your post, the issue frustrated the heck out of me. I have contacted BlueHost and some of the issues seem to be resolved. But I am looking at the scan, not exactly a script writer and the issues leave me mostly puzzled..
I passed the questionnaire 100% but the scan has still at least 4-5 non compliant errors. The problem is. I am trying to run a business here and don't have the time to brute over linux/unix ssl problems..
So for the next few months I will just pay my fees (may I cal them bribes, compliance for $20.00 a month, depending on your processor)..
The other option is to use a host that is PCI compliant, but most of their Verisign hosting fees are more than that $20.00 a month that my processor is asking for... and their server space is lousy..
In the meantime I am trying what you are doing complying a little every scheduled Elavon/TrustKeeper scan and pay my dues at this so called safety game..
I'm not a BlueHost user, but most of the folks here seem to feel that BlueHost has pretty good customer service. I would simply forward the results of the latest scan to them and ask them to fix the remaining issues or alternatively to write down a simple explanation of why they are not actually security issues. These explanations may satisfy your QSA and you will receive a full pass (and save your $20 per month)..
I agree it's a bit of a safety "game", but courage! Don't give up!.
I did that already and Bluehost gracefully responded, they indeed have a good customer service and I would love to stay with them..
They did address all the problems of the scan and I forwarded their response to TrustKeeper, got one issue dismissed. They did not accept three of Bluehost's explanations..
So I just play the game, at my next scan I will forward it to Bluehost again and than the response to TrustKeeper till on of them gives....
I got till March to comply, in the meantime I have Google Checkout working, always had Paypal and if worse comes I can run my sales that way..
I also have a Elavon terminal here at the nursery, which I could use by typing numbers in, but collecting cc-numbers is actually what we all trying to avoid..
So thanks again... I am not giving up easy..
Which questionnaire did you use? As best I could determine, we online merchants must use the more involved SQA-D and mark appropriate entries with "does not apply". Under my interpretation of the questions of SQA-D, however, I need to have several written policies in place that cover all of the issues addressed by the PCI compliance process. I sure would like to get a set of sample policies to use as a starting point..
This post has been edited by.
: 05 January 2009, 01:54..
I am not tech savvy so I can't give specific tech support but I can tell you our experience. We are hosted by iPower (I am not recommending them to anyone but that is who we are with). They were not helpful as far as PCI Compliance goes and they were not updated as to whom needed to be PCI Compliant. That being said, I never have had up time issues with them etc. so I bit the bullet and worked out my PCI issues at that time myself..
I paid a company called Security Metrics (through my merchant account) and failed my first scan of my website. We talked to so many tech people, merchant people, our bank merchant tech people on and on and found out that the problems we were having would still exist even if we sent all our customers to PayPal so that was not an easy fix..
We were recommended many times to use a gateway but we are not a big company, our web sales only account for 10% of our business so a gateway was outrageously expensive and would not be an answer either..
So, I dug in with both hands, followed some oscommerce support threads and fixed the issues with my Verisign site and passed my next scan. We were so happy....then the other shoe fell, we were just scanned again for our quarterly check and low and behold now there is a new problem and once again we failed our scan, after being compliant for 4 months. We were told it was upgrades...except when putting in the error and risk verbiage, I found that others had this issue in 2006..
Bottom line, it is a money making racket and a lot of bunk for nothing. This new "risk" is only something that our host provider can fix! It has to do with our SSL Verisign certificate and socket layer credentials. *Whatever* it all comes down to this, Visa/Mastercard are tied in with merchant companies, who are tied in with PCI compliant security companies, who are all shoving their hands in our pockets. You see, if you are not PCI compliant, you pay your merchant a minimum of $20.00 per month until you are compliant, most of that fee goes right to Visa/Mastercard. Also, if you keep passing all your scans, you may get complacent and not keep paying a scanning company... So, it is in credit card processing companies and visa/mastercard's financial interest to continue to screw with you and keep failing for new reasons..
Any why are we all going through this? Because Macy's, JCPenny, Sears, and a number of other gigantic companies had hackers get into their credit card databases. Not even the same databases that we all use..
So, why write this post, be ready for a long on-going problem with PCI compliance. If you are small fish like us, it will be an agonizing situation!.
I'm sorry you have had so much trouble. I agree that it appears to be a racket. Doing business has been fraught with similar rackets since the dawn of time. Some of them have been called "protection rackets" - where you had to pay the local thugs, or they would stop you from doing business..
How is this different? I dunno. If it gets too bad, some new thugs will surely come along with a "cheaper" solution...
PCI DSS 6.6 requires you to secure your code from vulnerabilities and the other option is to install a web application firewall on your server..
Let me know if you have questions about it,.
This post has been edited by.
: 05 February 2009, 17:21..
Looks to me you are a spammer. Am I wrong?..
Lol, this thread gets better and better. PCI = pretty crappy issue..