Author Topic: pci compliance, securtiy, hacking, ahh...  (Read 18210 times)

mikej2009

  • Beginner
  • *
  • Posts: 11
pci compliance, securtiy, hacking, ahh...
« on: December 17, 2009, 18:15:06 pm »
after installation of cart, if i use a merchant such as authorize.net, does pci compliance fall under me or how does that work, its a little confusing and intimidating.

would it be better just to use one of the "pay per month" shopping carts?

PRO

  • Global Moderator
  • Super Hero
  • *
  • Posts: 10272
  • VirtueMart Version: 3+
Re: pci compliance, securtiy, hacking, ahh...
« Reply #1 on: December 17, 2009, 19:26:18 pm »
PCI compliance ALWAYS falls on you. No matter if you are using a paid cart or what.

Getting certified is a matter of the site being scanned.

They will make sure your software is up to date.
12-15-09
Apache (2.2.12)
PHP (5.2.10)

Anonomous FTP needs to be turned off.

They will See How Much Time you have left on your SSL certificate. If its about to expire, they will say you are non compliant.

They will also scan YOUR IP address of your internet connection.

NOW.. the tricky part is they are going to say show_image_in_imagetag produces "blind sql injection" vulberabilities. You have to argue this with them. Tell them to prove it, etc.





I do NOT do development work for hire.

sandhill

  • Beginner
  • *
  • Posts: 13
Re: pci compliance, securtiy, hacking, ahh...
« Reply #2 on: January 07, 2010, 03:56:35 am »
Did you have to pay for a scan? I was at there site and I see they charge $699 to test a site.

PCI compliance ALWAYS falls on you. No matter if you are using a paid cart or what.

Getting certified is a matter of the site being scanned.

They will make sure your software is up to date.
12-15-09
Apache (2.2.12)
PHP (5.2.10)

Anonomous FTP needs to be turned off.

They will See How Much Time you have left on your SSL certificate. If its about to expire, they will say you are non compliant.

They will also scan YOUR IP address of your internet connection.

NOW.. the tricky part is they are going to say show_image_in_imagetag produces "blind sql injection" vulberabilities. You have to argue this with them. Tell them to prove it, etc.







rowby

  • Jr. Member
  • **
  • Posts: 77
    • RowbyVille
Re: pci compliance, securtiy, hacking, ahh...
« Reply #3 on: January 07, 2010, 04:21:25 am »
Hi  I have used authorizenet and virtuemart and have not run into this particular issue.  Yes, there needs to be a secure certificate in place and you will need a  unique ip address, because that is required to get a typical secure certificate. 

At least in my experience no one from authorizenet has brought up anything about "how_image_in_imagetag produces "blind sql injection" vulberabilities. " 

...Rowby

Join me in Outer Space at:
http://www.rowbyville.com

PRO

  • Global Moderator
  • Super Hero
  • *
  • Posts: 10272
  • VirtueMart Version: 3+
Re: pci compliance, securtiy, hacking, ahh...
« Reply #4 on: January 07, 2010, 15:50:01 pm »
About show_img_in_imagetag


They Take the URL of the thumb, and then add +5+abs(or something like it) to many of them.

What they want is it to return the same error no matter what.



I do NOT do development work for hire.

PRO

  • Global Moderator
  • Super Hero
  • *
  • Posts: 10272
  • VirtueMart Version: 3+
Re: pci compliance, securtiy, hacking, ahh...
« Reply #5 on: January 25, 2010, 19:24:20 pm »
It took 1 month going back and forth with security metrics, but I'm Finally PCI compliant.

I do NOT do development work for hire.

scanreg

  • Beginner
  • *
  • Posts: 18
Re: pci compliance, securtiy, hacking, ahh...
« Reply #6 on: June 12, 2010, 17:09:42 pm »
It took 1 month going back and forth with security metrics, but I'm Finally PCI compliant.

What did they require? What things had to be fixed?

Thanks

scanreg

  • Beginner
  • *
  • Posts: 18
Re: pci compliance, securtiy, hacking, ahh...
« Reply #7 on: June 13, 2010, 02:45:56 am »
Did they shut you down during that period or did they allow you to operate while fixing things ?

Thanks

scanreg

  • Beginner
  • *
  • Posts: 18
Re: pci compliance, securtiy, hacking, ahh...
« Reply #8 on: June 13, 2010, 02:57:32 am »
About show_img_in_imagetag


They Take the URL of the thumb, and then add +5+abs(or something like it) to many of them.

What they want is it to return the same error no matter what.

How was this addressed ?

Is this fixable ?

Gotta pass PCI

Thanks

PRO

  • Global Moderator
  • Super Hero
  • *
  • Posts: 10272
  • VirtueMart Version: 3+
Re: pci compliance, securtiy, hacking, ahh...
« Reply #9 on: June 13, 2010, 04:02:34 am »
I pass pci compliance without anything


The initial scan will come up with some errors, and you fix server side stuff. The rescan. etc.

Its mainly server side


php version, register globals etc.

I do NOT do development work for hire.

jsnmtth

  • Beginner
  • *
  • Posts: 8
Re: pci compliance, securtiy, hacking, ahh...
« Reply #10 on: September 10, 2010, 19:57:01 pm »
If your still emailing Storing or Emailing the "Security Code" (CVV) your not PCI-DSS compliant, no matter what your scan says.

DRACULINOS

  • Contributing Developer
  • Full Member
  • *
  • Posts: 206
  • Theo
Re: pci compliance, securtiy, hacking, ahh...
« Reply #11 on: October 03, 2010, 12:02:24 pm »
Somebody to suggest companies for PCI DDS certificates ?

A cheap or a free one it will be better  :P

Thanks

PRO

  • Global Moderator
  • Super Hero
  • *
  • Posts: 10272
  • VirtueMart Version: 3+
Re: pci compliance, securtiy, hacking, ahh...
« Reply #12 on: October 03, 2010, 13:22:25 pm »
in the USA merchant companies are partnering with compliance companies.

I use security metrics
I do NOT do development work for hire.