snubbr.com

Is it illegal to sell online without a Verisign SSL certicate for the online store site?

Get a Verisign SSL certificate for 30 days FREE. Click here to use coupon...

Get a free trial of Verisign SSL certificates. Click here for this special deal...
My 1st question is: Is it illegal to sell online without a Verisign SSL certicate for the online store site? Thanks in advance for any answer or 2. Another question I got... Hi, all. I found a thread on PCI compliance, but it did not address a fundamental issue for me, which I believe is sufficiently different to warrant a separate thread....

I have a client Verisign site that needs PCI compliance for their OScommerce to avoid penalties/fines. I have searched Google, but have found little in the way of options for PCI compliant Verisign hosting and NOTHING PCI+OScommerce. Does anyone have a recommendation for a host that they are currently using that is both compatible with the current OSC distro and has a PCI compliance option/standard?.

Thanks in advance!..

Comments (138)

Yup, but... you might wanna make sure and wait for someone else here to confirm this as I am not confident. Better yet, why don't you e-mail the Verisign guys because they can give you help better...

Comment #1

It's not so much your host as it is your payment gateway...

Comment #2

Should I may for Mcafee Security PCI Compliance. Is osCommerce PCI compliant with paypal pro?..

Comment #3

It seems we're skirting Michael's question. His client's arrangement, like my own, requires that his Verisign site pass a PCI-compliance scan. In my case my credit card acquirer, Moneris, required that I get a PCI Verisign certificate before they would give me the activation codes for my store. There's nothing unusual in this..

Michael, the best place to look will be Verisign hosting companies that specialize in Verisign hosting business-related web sites. Just ask the host if their Verisign hosting arrangement passes PCI scans. They will know what you are talking about..

The company I use here in Canada is Bell Hosting. In the odd instance where I fail a scan and it is due to an issue on their servers, they are most helpful in solving the issues, as they wouldn't want to lose business..

Hope this helps,.

~Wendy..

Comment #4

Lola, thanks for your reply. But unfortunately this assumption is not accurate. My client has failed a PCI scan and the Verisign domain ONLY contains a static website, a blogger Verisign blog and an OSC site. In fact, this Verisign site does not store any CC data - it only passes data thru Authorize.net..

The issue has to do with the server configuration..

To get specific, the scan that was conducted on my Verisign hosting platform (Mosso) resulted in the following points of failure:.

Here's the results of a SecurityMetrics scan:.

Synopsis : Debugging functions are enabled on the remote web server. Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. See also :.

Http://www.cgisecurity.com/whitehat-mirror...r_XST_ebook.pdf.

Http://www.apachewee...issues/03-01-24.

Http://www.kb.cert.org/vuls/id/867593.

Solution: Disable these methods. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Solution: Add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2 support disabling the TRACE method natively via the 'TraceEnable' directive. Plugin output : The server response from a TRACE request is : TRACE /pnxkvh4d.html HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Charset: iso-8859-1,*,utf-8 Accept-Language: en Connection: Keep-Alive Date: Sat, 15 Dec 2008 02:15:55 GMT Host: [domain].com Pragma: no-cache User-Agent: Mozilla/4.0 (compatible MSIE 6.0 Windows NT 5.0) X-Cluster-Client-Ip: 64.49.243.165 X-Forwarded-For: 204.238.82.20 X-Forwarded-Host: [domain].com X-Forwarded-Server: www.[domain].com CVE : CVE-2004-2320 BID : 9506, 9561, 11604 Other references : OSVDB:877, OSVDB:3726.

Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also :.

Http://www.schneier.com/paper-ssl.pdf.

Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See.

Http://support.microsoft.com/kb/216482.

For instructions on IIS. See.

Http://httpd.apache....od/mod_ssl.html.

For Apache. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)..

Comment #5

Apo, see my other response... if you are accepting CC info on your Verisign domain even if you are NOT storing the data than you are required to become compliant. This typically means passing a 3rd-party security scan of your Verisign hosting environment. Here's a source:.

"If you are a merchant or service provider and accept credit cards you must validate PCI compliance at least annually. There is no way around this. Network Security Scans are required of all merchants and service providers with external-facing IP addresses that collect, process or transmit payment account information.".

Http://www.pcicompli...org/pcifaqs.php..

Comment #6

Not true... If your host has SSL 2.0 enabled, which most seem to do, then your Verisign site will fail a scan. Also, if your host supports Debugging functions such as TRACE and/or TRACK methods, then you will also fail..

This is based upon a SecurityMetrics scan of my client's Verisign site that is hosted on Mosso's cloud environment...

Comment #7

So, I guess I had it right?.

Can anyone out there recommend a PCI-compliant US host for Michael?..

Comment #8

Yes, I am going through the same thing. Since I accept credit cards, use linkpoint, my Verisign site has to pass a PCI scan. I have, very frantically changed Verisign hosting companies in hopes of passing the PCI scan, if not, I will be fined, which is no good! If I can pass, I will let you know who I am using, and what I have done to pass. What I have read, you can't pass a PCI scan using a shared server, you have to have a dedicated server, but I am hoping I can pass with some technical exceptions written from my host......either way, not fun!!..

Comment #9

I am on a shared server with Bell Canada (as far as I know - but then again my "secure" SSL-protected pages are hosted on a separate physical server, as far as I know - it's a standard arrangement, but I'm not technical enough to elaborate) - anyhoo, I pass PCI scans..

I think it's really just a matter of asking Verisign hosting companies a lot of questions - or of getting recommendations..

~Wendy..

Comment #10

I am also dealing with this issue now..

It seems most hosts enable SSL 2.0 but they can disable it for each site. At least if you have your own SSL certificate. I am not sure about when you share a certificate. But they also see to have TRACK/TRACE enabled for debugging use. And that is a real bad thing for PCI compliance and general security as well. But this is set per server not per virtual Verisign domain in a shared environment.



For a low volume Verisign site getting just a few hundred hits a day and 5-20 orders a shared host works just fine. But not for PCI it seems. So now we are looking at dedicated Verisign hosting which adds a lot to the cost for a small store operator. On a dedicated host you can set all these things as you need them to pass PCI scans. But unless you can afford managed Verisign hosting you have to also take care os updating the web server, MySQL, PHP, the OS, etc with security patches etc..

And the web Verisign site part of PCI Compliance is supposed to be the easy part!.

For some the PCI scans are hundreds to thousands of dollars and even if the merchant processor is paying it the first time out that is another cost to be incurred by the merchant in some fashion..

Also note the Verisign hosting company has to be PCI Compliant with physical access etc since that is where the data actually resides. A lot of the smaller hosts who have a few dozen servers can not pass those requirements. But it seems very few hosts have even started to address this yet. Nothing on their sites and their tech support has no idea when you ask about PCI Compliance..

For more info on this check out.

Https://www.pcisecuritystandards.org.

It would be good to gather/post a list of Verisign hosting companies that have been successful at doing this with osC..

WK..

Comment #11

As I've mentioned, my Verisign site is hosted with Bell Canada. I've been with them for about 10 years now. When I decided to add online shopping to my web site, I asked Bell if their servers were PCI-compliant, and they said yes. I paid Trustwave about $250 for a year's worth of scans, filled out the questionnaire, and everything passed..

It's hard to imagine that such PCI-compliant shared services are rare in the USA or elsewhere..

Best of luck,.

~Wendy..

Comment #12

Yes, a list would be great. I have switched 3 different hosts....not fun!.

A list, a long with a link to the Verisign hosting company would be ggggrrrrreeaatt!!!..

Comment #13

Hi, all. I found a thread on PCI compliance, but it did not address a fundamental issue for me, which I believe is sufficiently different to warrant a separate thread....

I have a client Verisign site that needs PCI compliance for their OScommerce to avoid penalties/fines. I have searched Google, but have found little in the way of options for PCI compliant Verisign hosting and NOTHING PCI+OScommerce. Does anyone have a recommendation for a host that they are currently using that is both compatible with the current OSC distro and has a PCI compliance option/standard?.

Thanks in advance!..

Comment #14

OsCommerce is PCI compliant as it does not store all the credit cards numbers in the same location..

Part of the numbers are emailed to you and part are stored in the database. You do however have to have a ssl connection to your processor...

Comment #15


This question was taken from a support group/message board and re-posted here so others can learn from it.

 

Categories: Home | Diet & Weight Management | Vitamins & Supplements | Herbs & Cleansing |

Sexual Health | Medifast Support | Nutrisystem Support | Medifast Questions |

Web Hosting | Web Hosts | Website Hosting | Hosting |

Web Hosting | GoDaddy | Digital Cameras | Best WebHosts |

Web Hosting FAQ | Web Hosts FAQ | Hosting FAQ | Hosting Group |

Hosting Questions | Camera Tips | Best Cameras To Buy | Best Cameras This Year |

Camera Q-A | Digital Cameras Q-A | Camera Forum | Nov 2010 - Cameras |

Oct 2010 - Cameras | Oct 2010 - DSLRs | Oct 2010 - Camera Tips | Sep 2010 - Cameras |

Sep 2010 - DSLRS | Sep 2010 - Camera Tips | Aug 2010 - Cameras | Aug 2010 - DSLR Tips |

Aug 2010 - Camera Tips | July 2010 - Cameras | July 2010 - Nikon Cameras | July 2010 - Canon Cameras |

July 2010 - Pentax Cameras | Medifast Recipes | Medifast Recipes Tips | Medifast Recipes Strategies |

Medifast Recipes Experiences | Medifast Recipes Group | Medifast Recipes Forum | Medifast Support Strategies |

Medifast Support Experiences |

 

(C) Copyright 2010 All rights reserved.