Announcement

Collapse
No announcement yet.

PCI Security Scan Failures for 3D Cart?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • PCI Security Scan Failures for 3D Cart?

    Our merchant processor continues to charge us additional fees because our 3D cart stores cannot seem to pass the PCI security scans. Are other merchants having issues with this? They ran us thru the ringer so badly that we finally tossed in the towel and shifted to a new processor....and low and behold our stores are not passing the new PCI security scans from the new company. I've found getting help on this from 3D cart is like pulling teeth...... Anyone else having this issue or have some suggestions?

    Scott

  • #2
    Hey Scott Elimax .. I can't help you with this issue personally, but can you provide a little more info? Who was / is your processor? Did they give you the failure codes / specifics? Have you opened a ticket? If so, do you have the ticket #? Once you provide that, you can tag a 3dcart mod so that they can see your posts / look into this in a more expeditious fashion. Thanks! Best of luck to you.. Andrew

    Comment


    • #3
      Elimax @massage I have had the same problem. Its failing because they are scanning and finding the TLS v1.0 (old version). They need to have TLS v 1.1 or 1.2. Its a security feature that will be disabled by June 2016 per microsoft.

      Heres what you'll need to do. Submit a ticket to 3dcart. Send them the pci fail report. 3dcart will need to send back to you, the assessement risk sheet. Once you get the assement. Send it back to your processor. They willl PASS YOU even though its failing. ALL eCommerce stores are having the same issue. You dont have to pay extra $$ for this. Call your old processor back and see if you can get your fees back. Hope this helps.


      READ BELOW


      Dear Sir or Madam:
      Please accept this as the Risk Mitigation and Migration Plan for PCI DSS 3.1 for 3dcart Shopping Cart Software.


      A description of where and how we are currently using SSL and/or early versions of TLS, how we intend to mitigate the risks with these technologies, and our migration plan are listed below.
      1. Where are SSL/TLS 1.0 currently used in your environment?


      Our servers are still accepting TLS v1.0 from old browsers that are still being used by customers.
      1. How are you mitigating risks with SSL/TLS 1.0?


      All servers have been configured to prioritize TLS 1.1 and 1.2 ciphers.
      1. How are you monitoring for new vulnerabilities associated with SSL/TLS 1.0?


      We are constantly in contact with our PCI Scan Provider and also other security agencies and sites (Secunia.com/Symantec.com/Securitymetrics.com/Microsoft.com/isc2.org). The vulnerabilities are being monitored as all these sources release more information about it.
      1. How are you ensuring that SSL/TLS 1.0 are not introduced into your cardholder data environment? (Meaning, how can you verify that new or upgraded systems connected to your cardholder data environment don’t contain SSL/TLS 1.0?)


      TLS v1.0 cannot be further introduced because the sites are all supporting 1.1, 1.2, and 1.3. SSL is fully disabled on the environment."
      1. When will your migration plan from SSL/TLS1.0 be completed?


      All systems already have TLS 1.1 and TLS 1.2 enabled. All SSL version have been disabled and are not supported anymore. TLS 1.0 is scheduled to be fully disabled on Q3/2015.

      Sincerely,

      Andrew Jennings
      Network Administrator
      800-828-6650
      [email protected]

      Comment


      • #4
        In my experience, 3dCart does indeed fail PCI-DSS scans from time-to-time. This is usually caused by the ever-evolving PCI-DSS standards, and really, this is normal and expected.

        Every time this has occurred, filing a ticket with 3dCart and submitting the relevant pages from your scanner has resulted in 3dCart getting it fixed up in usually < 24 hours. That's pretty good.

        It's important that you trigger a re-scan of your site after 3dCart gives you the go-ahead. Otherwise you will appear to be in a failed state until the next scheduled scan. Most scanners give a few freebie re-scans, since that's part of the mitigation process.

        ​I wouldn't submit the letter Choice Checks has posted unless 3dCart has determined that's really the sole reason you are failing PCI-DSS.
        Last edited by Alupis; 11-06-2015, 04:49 PM.

        Comment


        • #5
          try paypal payments pro for $30/mo fee credit cards get processed in real time including AMEX - we've been thru 16 processors in 13 years PayPal has been the most reliable - we'ved used them for 4 years now

          Comment


          • #6
            Originally posted by windycityparrot View Post
            try paypal payments pro for $30/mo fee credit cards get processed in real time including AMEX - we've been thru 16 processors in 13 years PayPal has been the most reliable - we'ved used them for 4 years now
            You would probably eat your parrots and toss the feathers in the wind had you our experience with PayPal Pro. It may be wise to be reserved, a bit parsimonious with praise for PayPal.

            PayPal Pro is a pseudo merchant account with PayPal Express attached adding the much touted Seller Protection. If there is a problem with a high value order funded with a seller protection eligible PayPal Express payment, they have numerous ways to deny your compensation, and thus, save them money.


            Luxlife

            Comment


            • #7
              @Luxlife we've processed more than 70,00 on line orders and never asked for a PayPal seller protection redemption that's a non sequitor and I'd much rather fight a chargeback with paypal than visa been to both of those rodeos Paypal gives me the money back until the chargeback goes south

              Comment


              • #8
                Originally posted by Luxlife View Post

                You would probably eat your parrots and toss the feathers in the wind had you our experience with PayPal Pro. It may be wise to be reserved, a bit parsimonious with praise for PayPal.

                PayPal Pro is a pseudo merchant account with PayPal Express attached adding the much touted Seller Protection. If there is a problem with a high value order funded with a seller protection eligible PayPal Express payment, they have numerous ways to deny your compensation, and thus, save them money.


                +1 for the vocabulary.. I had to google parsimonious lol

                Comment


                • #9
                  Thank goodness for google, I had to also LOL

                  Comment

                  Working...
                  X