Re: [WebDNA] OT: Issue with some clouds

This WebDNA talk-list message is from

2009

It keeps the original formatting. numero = 103292
interpreted = N
texte = > I'm still a little fuzzy on the PCI compliance thing... (I haven't > done a CC site since the new regulations went into effect). If a > small merchant has a storefront site, goes through a gateway (e.g. > Authorize.net), does not store any card info, but only passes it > through the site to the gateway, and receives confirmation back, > does that merchant have to do anything more than have an SSL?I recently had to make my servers PCI compliant. It is more than simply data retention policies and SSL certificates. We used TrustWave to gain compliance. I was actually surprised at what all they checked for. They would do a scan against my servers that would take about two hours to complete. When they finished, I received a report that listed all the vulnerabilities that caused me to fail compliance. These included things such as the version of apache, FTP server, and PHP I had running on the server. I also had to remove SSLv2 support from my server, update SSH, among other things.I even had an issue come up with that way I have coded some WebDNA; in particular, my use of 'cart=[cart]'. The test that they ran against the sites in question included substituting the value of [cart] with some values that included angled brackets and other such characters, then checking to see if that string appeared anywhere on the resulting page. I solved the problem by changing to 'cart=[url][cart][/url]'. It would not have affected WebDNA, but I guess it could have affected lesser languages. I guess it could also be used to create a bogus link to a page on a WebDNA site that substituted [cart] for some javascript, which could be theoretically used for malicious purposes for anyone who followed the link.Anyway, that's what I learned from having to get PCI compliant.Dennis Associated Messages, from the most recent to the oldest:

Re: [WebDNA] OT: Issue with some clouds (Bob Minor 2009)
Re: [WebDNA] OT: Issue with some clouds ("Dennis J. Bonsall, Jr." 2009)
Re: [WebDNA] OT: Issue with some clouds (Matthew Bohne 2009)

> I'm still a little fuzzy on the PCI compliance thing... (I haven't > done a CC site since the new regulations went into effect). If a > small merchant has a storefront site, goes through a gateway (e.g. > Authorize.net), does not store any card info, but only passes it > through the site to the gateway, and receives confirmation back, > does that merchant have to do anything more than have an SSL?I recently had to make my servers PCI compliant. It is more than simply data retention policies and SSL certificates. We used TrustWave to gain compliance. I was actually surprised at what all they checked for. They would do a scan against my servers that would take about two hours to complete. When they finished, I received a report that listed all the vulnerabilities that caused me to fail compliance. These included things such as the version of apache, FTP server, and PHP I had running on the server. I also had to remove SSLv2 support from my server, update SSH, among other things.I even had an issue come up with that way I have coded some WebDNA; in particular, my use of 'cart=[cart]'. The test that they ran against the sites in question included substituting the value of [cart] with some values that included angled brackets and other such characters, then checking to see if that string appeared anywhere on the resulting page. I solved the problem by changing to 'cart=[url][cart][/url]'. It would not have affected WebDNA, but I guess it could have affected lesser languages. I guess it could also be used to create a bogus link to a page on a WebDNA site that substituted [cart] for some javascript, which could be theoretically used for malicious purposes for anyone who followed the link.Anyway, that's what I learned from having to get PCI compliant.Dennis "Dennis J. Bonsall, Jr."

DOWNLOAD WEBDNA NOW!

Re: [WebDNA] OT: Issue with some clouds

2009

Top Articles:

Related Readings: