Home » Forums » Off Topic - Non Ubercart Issues » General Off Topic Discussion
8 replies [Last post]
Fri, 03/26/2010 - 19:02
burtsbees
burtsbees's picture
Offline
Joined: 03/24/2010
Juice: 29
Was this information Helpful?

I am trying to obtain PCI compliance. The following are issues I need to work on

If anyone has any ideas, I would appreciate them. Thanks.

1.Darwin Streaming Server < 5.5.5 Multiple Remote Overflow Vulnerabilities (I think I need to upgrade to a dedicated or private server to solve this)

2.PHP version check (not sure exactly about this one)

3.Web Application Cross Site Scripting (Could this be a problem with a module I have installed?)

4.Unencrypted Login Information Disclosure (I think I need a dedicated IP address and individual certificates through my host for this)

5.Potential Sensitive Persistent Cookie Sent Over a Non-Encrypted (SSL) Channel (Not sure on this one)

Top
Sat, 03/27/2010 - 01:12
#1 View page
univate@drupal.org
univate@drupal.org's picture
Offline
Getting busy with the Ubercode.
Joined: 03/27/2009
Juice: 465
Re: Does anyone have experience getting PCI compliance for their

What do you mean by getting PCI compliance. I was not aware there was a formal process?

I think there are companies that will do an audit on your system, but generally PCI compliance is a self assessment you need to do on your system/software.

Is this a list of issue you have been told by some other company to investigate?

I have taken PCI compliance really to be something you should be fully aware of, if you are running a ecommerce site and dealing with credit card information. If your system gets compromised, the first thing your merchant providers is probably going to do is check that you where in compliance with PCI and that you did everything you could to protect your customer details. For example if you are found to be storing CVV or full credit card track information you are probably going to have a harder time explaining that you shouldn't be held liable for the losses.

--
smart web application

Top
Sat, 03/27/2010 - 09:52
#2 View page
burtsbees
burtsbees's picture
Offline
Joined: 03/24/2010
Juice: 29
Re: Re: Does anyone have experience getting PCI compliance for t

Yes, I am in the process of getting pci compliant through McAfee software, it comes free for a year through paypal. I am trying to get website payments pro gateway integrated onto my ubercart. I would rather let a third party handle this all, but my clients need to be able to read and fill out their information in Korean, which is not a language supported by any payment gateways that I've seen. So I am stuck trying to figure this out so I can offer the translation myself.

Top
Sat, 06/12/2010 - 10:54
#3 View page
scanreg
scanreg's picture
Offline
Joined: 10/29/2007
Juice: 18
Re: Does anyone have experience getting PCI compliance for their

Any progress with this ?

Top
Wed, 06/30/2010 - 09:48
#4 View page
BD3
BD3's picture
Offline
Joined: 05/28/2009
Juice: 70
Re: Does anyone have experience getting PCI compliance for their

Did you find a solution for #5: Potential Sensitive Persistent Cookie Sent Over a Non-Encrypted (SSL) Channel?

I also am using McAfee Secure as my cc merchant now requires this.

Not sure if the way Secure Pages is configured has to do with part of this, but here mine is regardless:

Make secure only the listed pages:
node/add*
node/*/edit
user/*
admin*
cart/checkout
cart/checkout/review
cart/checkout/payment_details/*
cart/checkout/complete

Top
Thu, 07/15/2010 - 16:46
#5 View page
BD3
BD3's picture
Offline
Joined: 05/28/2009
Juice: 70
Re: Re: Does anyone have experience getting PCI compliance for t

Anybody else seeing the Potential Sensitive Persistent Cookie Sent Over a Non-Encrypted (SSL) Channel vulnerability? I am just not sure if Secure Pages is where to look or if it is something completely different?

Top
Thu, 07/15/2010 - 19:13
#6 View page
TR
TR's picture
Offline
Bug FinderFAQ ModeratorGetting busy with the Ubercode.
Joined: 11/05/2007
Juice: 3424
Re: Re: Re: Does anyone have experience getting PCI compliance f

You have to also use the Secure Pages Prevent Hijack module.

<tr>.
Top
Tue, 07/20/2010 - 13:32
#7 View page
BD3
BD3's picture
Offline
Joined: 05/28/2009
Juice: 70
Re: Re: Re: Re: Does anyone have experience getting PCI complian

Thanks for the reply TR. I installed and enabled the Secure Pages Prevent Hijack module. Ran a "verify fixed" scan to see if the issue was fixed, it said it wasn't. So I went to Secure Pages and unchecked "Switch back to http pages when there are no matches", ran another scan and it still was listed as a vulnerability. Anything I am doing wrong or need to change? Thanks for all you help.

Top
Wed, 07/28/2010 - 15:34
#8 View page
BD3
BD3's picture
Offline
Joined: 05/28/2009
Juice: 70
Re: Re: Re: Re: Re: Does anyone have experience getting PCI comp

More information that I found:

Protocol: tcp
Port: 80
Read Timeout: 10000
Method: GET
--> Sensitive Info on Insecure Channel (http) : SESS5b9363b0ae57a1a1c24f732ba82d81de=we8a9cia8o60lkah941h01y7a6; expires=Wed, 11-Aug-2010 21:59:14 GMT; path=/; domain=.example.com

Any help would be extremely great!

Top