DiscountASP not PCI Compliant

DiscountASP npt PCI Compliant

Anyone who processes credit cards is at risk using discountasp.net. Depsite what the FAQ on this site says about PCI being geared towards larger orgainizations, that is simply not the case. I have talked at length to my cc processor and bank, and it does not matter if you process one transaction or 100,000 per year, your site must be PCI compliant.

I have easily found several other hosts operatiing on shared servers who ARE PCI compliant and will be moving my site. Why is discountasp.net not partnering with a security firm?

Link to the FAQ.

http://kb.discountasp.net/article.aspx?id=10524

 

I know what it involves, Ive done the questionare, and our physcial premises are safe, data is stored in a locked room, etc. . However, the fact is that the only thing that is keeping usfrom geting compliant is the discountasp.net server. We have met every single requirement for our inhouse certification. Guess what? we have a monthly meeting on data security. This is not new tome, we've been working on it for months.The fact that you don't seem to understand that this applies to ALL merchants, not just the big boys, shows you don't really understand the process, and quite frankly, that's scary.

You aksed for the host, so here it is:

http://www.appliedi.net/scanalert-pcicompliance/


Every customer gets it for free. You offer nothing.


BTW, I pay significanly more than $10 a month to your company.

 

so i I listen to you, the Hacker Safe program from MCAfee is just BS?

 

Well, perhaps you could speed up that re-negotiating???? Securitymetrics.com failed the server, and will not bend the rules. Instead of it being free, I'd have to pay $350 for Scanalert.

 

Here's what another host said:

"We can assist you to ensure that your box is pci compliant"

Apparantly something that is not seen as important here. Same pricing too.

 

Which host was that, exactly? I would like to know, because they are lying to you. There is no such thing as "a PCI compliant box."

The PCI Self-Assessment Questionnaire is 14 pages long with 75 questions such as;

"Is there an up-to-date information security awareness and training program in place for all system users?"

And;

"Is a background investigation (such as a credit- and criminal-record check, within the limits of local law) performed on all employees with access to account numbers?"

Now how is a host going to guarantee that? Are they going to train and screen you, or anyone that works with your site or application? No they aren't. And that is just the tip of the iceberg.

PCI compliance requires more than just hardware configuration, and I assure you that no shared host in our price range has anywhere near the network setup outlined in the PCI guidelines.

None, period.

And that is why we stand by our assertion that we cannot provide a PCI compliant environment. because there is no such thing at a shared host. Any shared host that tells you they can "ensure that your box is pci compliant" either doesn't understand what is involved, or is just BSing you to get your $10 a month.

We'll take your $10, don't get me wrong. But we aren't going to lie to you and sell you something that we cannot possibly deliver.

 

Here's what Security Metrics said on this issue. You said you have custmers using Hacker Safe from McAfee. Do you have any urls. If I can;t get this resolved, I have to switch hosts. My credit card discount rates will go up substantially if I don't correct this.

If your host is not going to be able to make the changes in order for you to become compliant you may have to go with a new host. Also I am not sure how Hacker Safe is able to certify the site because in fact this is a true vulnerability and if Hacker Safe is passing on something that is in fact a vulnerability this may tell you something about their scans. SSL 2.0 came out in 1994, roughly 13 years ago, and shortly after it's release it was found to be a weaker protocol. In response SSL 3.0 was released in 1996 and has been the industry standard ever since.

Every browser released after 1998 will, by default, use SSL 3.0. As such Visa's guidelines no longer permit the use of SSL 2.0.

I hope this helps.


This has to do with SSL 2.0 That's the only thing that's failing. Why can't this be disabled if all browsers from 1998 and beyond support 3.0?
Seriously, I don't want custmers who live in the stone ages coming to my site anyways.

 

I did, the reply was yor FAQ about PCI compliance, and of course, youcan read the thread above.

I stll don't understand if a SSL 2.0 is a vulnerability, how can Hacker Safe pass the sites?

 

But what you are saying has nothing to do with SSL. There is no way to 'check it off'.

 

I took your advice, paid Hacker Safe (McAfee Secure) for their program, got no discounts, and the site is failing for the same reason!!!!!!!!!!!!

The remote service appears to encrypt traffic using SSL protocol version 2. </o>
</o>
Netscape Communications Corporation introduced SSL 2.0 with the launch of Netscape Navigator 1.0 in 1994 and it contains several well-known weaknesses. For example, SSLv2 doesn't provide any protection against man-in-the-middle attacks during the handshake, and uses the same cryptographic keys for message authentication and for encryption. </o>
</o>
In Internet Explorer 7, the default HTTPS protocol settings are changed to disable the weaker SSLv2 protocol and to enable the stronger TLSv1 protocol. By default, IE7 users will only negotiate HTTPS connections using SSLv3 or TLSv1. Mozilla Firefox is expected to drop support for SSLv2 in its upcoming versions. </o>
</o>
As almost all modern browsers support SSLv3, disabling support for the weaker SSL method should have minimal impact.


I am off to another host if I can't get this resolved. This seams like a huge vulnerability to have on your servers.

 

Here's how you fix it.

IIS Implementation:
Refer to the Microsoft KB Article on Disabling SSL 2.0, Article ID: 187498

I am not happy because you guys said McAfee secure sites hosted by you, so I spent nearly 4 digits for a full year, when I could of got it for a lot less by switching to another host as part of a package.

 

What we said is that we use it. We did not claim that every site we host is covered by it. That would be impossible.

Sorry you miusunderstood.

 

We also partner w/ ScanAlert (HackerSafe) but we are in the process of renegiotiating the contract since they got acquired by McAfee.

If you use ScanAlert to scan our server, it should pass (it may find some open ports like FTP &amp; FPSE but those are not security threats and you cancheck those off). We have plenty of customers using ScanAlert to scan their site and they have no problem getting PCI compliant.

This is pretty clear to me. Obviously falling on deaf ears, so I'm out....

I am using ScanAlert.....

 

Boy, I am not used to amazing service. I just got a phone call from my new host asking me if everything was working OK, and if I had any questions.

Imagine that happening from the folks here?

Seriously though, you should look into improving the way you interact with customers.

I am not going to post here anymore, that's not fair to you guys, and I?ve said my piece.