I'm working on going PCI Compliant with McAfee. The only outstanding issue is: FTP Supports Clear Text Authentication I set the FTP to allow only FTP from my IP address, but they are saying it's still available to the public. Has anybody had this same issue? Thanks!
FTP server still respond even when you have set IP restriction. The IP restriction part happens AFTER you authenticate. To fix the PCI issue, we can configure your FTP site to ONLY allow FTP over SSL connection. You'll have to open a support ticket for this.
Not happening... Unfortunately, here's my response from DiscountASP.NET: "I'm afraid after some extensive testing, we are not able to set up the FTP server to require SSL in order for the PCI test to pass. We have set your account to require SSL, but it only requires it once you try to connect with your specific user. Unfortunately, IIS only requires SSL when you try to log in with the user which is set to require it, not as soon as the connection is made. The only way we'd be able to set this up is if we were to require it on the whole server, which we cannot do as it would affect many customers and their current configurations." How has other McAfee clients passed the PCI test? If I can't settle this one issue, I'll have to find another hosting company
We have a lot of users who have passed it. There's even a MacAfee deal in our marketplace... The problem is that they (and other PCI scanning vendors) seem to change the PCI requirements/scan often, and some of the things the scan complains about (like this) are impossible to fix on a shared server.
I got the deal from your marketplace How do other McAfee/Discount clients get around this then? Even with changing standards (which I do not believe exist in this particular case), there must be something McAfee/Discount clients are doing to remain PCI compliant. I WANT TO KNOW THAT SECRET!
Having the same problem I too have failed to get PCI-compliance because of this problem. I also tried other PCI companies with the same problem. I opened a ticket several days ago, and am still waiting
Actually, I wrote a ticket explaining the situation and asking what other clients had done to be compliant. Jose took over, and has been great. It took a few rounds of testing back and forth, by DiscountASP.net got in contact with McAfee directly, all while keeping me in the loop. We did a scan two days ago and it cleared the issue up completely. Unfortunately, McAfee added something to their scans and picked up a new issue with RapidFire SSL that day Figures. So, Discount is now in contact with RapidFire to clear that up. So far, I've been very impressed with the support.
The failures are related to a recent change in the compliance criteria regarding plain text transmission of FTP usernames. We have a workaround, but it involves removing a host header, so you have to contact support to get it done. Note that there can be a lot of reasons that you might fail a PCI scan, and the FTP issue is only one of them. When you contact support always include a copy of the report you receive from the Scanning Vendor.
