I have a site which previously passed PCI compliance with Security Metrics, but is now failing. There are two issues which seem to be related to the FTP server Description: SSL Certificate with Wrong Hostname Synopsis: The SSL certificate for this service is for a different host. Impact: The commonName (CN) of the SSL certificate presented on this service is for a different machine. Data Received: The identity known by SecurityMetrics is : qscomics.com The Common Name in the certificate is : *.discountasp.net The Subject Alternate Names in the certificate are : *.discountasp.net discountasp.net Resolution: Purchase or generate a proper certificate for this service. and Description: FTP Supports Clear Text Authentication Synopsis: Authentication credentials might be intercepted. Impact: The remote FTP server allows the user's name and password to be transmitted in clear text, which could be intercepted by a network sniffer or a man-in-the-middle attack. Data Received: Although this FTP server supports 'AUTH TLS', it is not mandatory and USER and PASS may be sent without switching to TLS. Other references : CWE:522, CWE:523 Resolution: Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the server so that control connections are encrypted Is there anything that can be done about these? I can't see much for the management of FTP. Setting IP restrictions, or stopping the FTP service doesn't help, as the FTP service is still listening on that IP. I have an SSL cert for my site which is used for HTTP, is there some way to get this used for the FTP site? Many thanks for any help offered.
You might want to take a look at our knowledge base article regarding PCI compliance here: http://support.discountasp.net/KB/a319/pci-payment-card-industry-compliance.aspx Some PCI compliance companies require things that we can not change in our hosting environment. This is because we are a shared hosting company and different users use different things on our web servers. We partnership with McAfee we can offer our customers a substantial discount on McAfee Secure™ PCI certification service. The service includes initial PCI certification, regular vulnerability scans of your web site and the ability to display the McAfee Secure™ trustmark. For details and a link to sign up, see the Marketplace page in Control Panel.
Thanks for getting back to me. It does appear that this may be one of those issues that is inherent to shared hosting. Hopefully we can switch PCI scan providers. Otherwise we may have to go with a third party payment processor to avoid PCI Scans, or migrate hosts.
Moving to a new host isn't going to help. The PCI requirements change very frequently, and we (all) have to adjust. Contact support, they can help with the second issue and help you troubleshoot the first.
