Rank: Member
Joined: 6/6/2005(UTC)
Posts: 483
|
Security Metrics representing First Data (Link Point) tested our laurastamm.net web site (BV5) and our host (Resposio) for PCI Compliance earlier this month. Out of 4400 vulnerabilities tested, we had one level 4 (low) vulnerability. To fix it I changed Custom Errors from "Off" to "Remote Only" in our web config file. It took 1 min and most of that was browser loading.
Bob Noble
|
|
|
|
|
|
Rank: Member
Joined: 11/5/2003(UTC)
Posts: 1,786
|
You're welcome. Glad to hear the testing went well.
|
|
|
|
|
|
Rank: Member
Joined: 11/5/2003(UTC)
Posts: 1,786
|
Do you have a link to Security Metrics in case otherwise want to scan their sites?
|
|
|
|
|
|
Rank: Member
Joined: 6/6/2005(UTC)
Posts: 483
|
www.securitymetrics.com/Apparently First Data hired them to do their PCI audits as required by Master Card, Visa, Discover etc. They will scan our site once every quarter with an annual questionnaire. BVCommerce was one of the web software's listed on the "What software do you use?" question. I suspect if you haven't been audited yet, you will be soon. I was surprised they contacted us. We are a relatively small business. Bob Noble
|
|
|
|
|
|
Rank: Member
Joined: 7/14/2004(UTC)
Posts: 254
|
Thanks for the link Bob, quite interesting and looks like it might ease the compliance burden. I agree about the BV / Resposio combination...this is yet another example of the value proposition of great software solidly backed up by great hosting.
Cheers
JP
|
|
|
|
|
|
Rank: Member
Joined: 12/23/2003(UTC)
Posts: 909
|
Hey bob,
We just ran a scan through securitymetrics on a site. did you have to "Purchase a qualifying Site Certification"?
I'm a little thrown off by this as it's mentioned in the email notification that this is a service that requires no purchase. |
|
|
|
|
|
|
Rank: Member
Joined: 11/13/2004(UTC)
Posts: 189
|
|
|
|
|
|
|
|
Rank: Member
Joined: 6/6/2005(UTC)
Posts: 483
|
Opps sorry. I didn't have to pay a dime. Well. I really had to pay about 3 percent of sales for several years. First Data paid the tab as part of their PCI compliance.
After I passed there was a link I could follow to down load the code to bring up the cert. If you want to see it, go to laurastamm.net. There are several different images to choose from.
Bob Noble
|
|
|
|
|
|
Rank: Member
Joined: 12/23/2003(UTC)
Posts: 909
|
Thanks bob. I need to get on the horn with securitymetrics. I'm missing something about the process. I've "bought" the certification for my client via their account screen and nothing is changing, no confirmation emails, no change in status, no scan results, nothing.
Don't know how you feel about it but they could definitely friendly up the process with some gumby instructions. |
|
|
|
|
|
|
Rank: Member
Joined: 6/6/2005(UTC)
Posts: 483
|
They have it quite automated. They gave me a link to their web site in an email. You can view the results of the tests and after you fix the broken stuff you can start the scan again. But I guess, the trick is, getting access to their web site. There was a web questionnaire portion of the test as well. They emailed me with the directions on how to get to that questionnaire.
The guy called me out of the blue and told me what he was doing. He asked me a bunch of security questions and I answered them until he got to the one "What is the IP address of the home computer you are using to input credit cards on the web?" (They wanted it so they could scan my home computer.) I asked him if that was a security test question. Needless to say, I called First Date to get his phone number, then called him back.
Bob Noble
|
|
|
|
|
|
Rank: Member
Joined: 12/23/2003(UTC)
Posts: 909
|
I have to get on the horn with them. We're stuck with this screen (view attached). I believe the issue may be related to the processor and a phone call will clear it up. They're hosting with Resposio as well so I know the scan should pass inspection. Matt@9BallDesign attached the following image(s):  snap.png (28kb) downloaded 179 time(s).You cannot view/download attachments. Try to login or register. |
|
|
|
|
|
|
Rank: Member
Joined: 6/6/2005(UTC)
Posts: 483
|
Looks to me like your missing is the Questionnaire. And the there is no Scan button hence no scan results.. Is there a link somewhere that brings up the Questionnaire? Are you signed in properly on their site? Yep! Call them I guess. I filled out the questionnaire while I was on the phone with them.
Bob Noble
|
|
|
|
|
|
Rank: Member
Joined: 12/23/2003(UTC)
Posts: 909
|
yup, my client got on the horn with them. He needed to provide some information that I couldn't provide (merchant account information).
Did a scan, Resposio responded immediately, questionnaire completed, scanned again, off to the races :)
So it's a repeat of your original subject line! |
|
|
|
|
|
|
Forum Jump
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.