[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Any webby hostys here put their sites through this whole PCI testing thing?
My of my clients just did without mentioning it to me, then are jumping up and down because it unsurprisingly failed...
However, while I can push all the buttons to make the testing house happy (well most of them - they're whinging about some "possible" SQL injections that the client's own code is responsible for), I feel that they're missing a few vital things - the site is on a shared server and although it has it's own IP address (ssl site), there are dozens of other sites there too - so having an open FTP server scores 3 points - sure, I could block it for their own IP address, but it still leaves it open on the 'base' server and all other sites.
Same for other trivial things like POP and so on.One annoying thing it failed on was not having a virus checker - they sent EICARs to postmaster@it and expected it to fail - well, it won't as it doesn't have a virus checker, it's a Linux host (which they correctly identified!)
And interestingly, reading the documentation the client sent me, it seems that they (the testing house) wanted me to remove all firewalling and allow full access from the testing houses IP range before they started the test!)
So it seems to me that this whole PCI testing thing is really a pile of junk, and people are paying good money for a 'scan' which really isn't showing anything significant at all... Or even if it pases, then the server itself is still not "secure" as it's hosting other sites, etc.
So where can I sign up to be a PCI testing house??? Gordon -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html