Question

PCI Compliance

Asked by: softechnics

We have an eCommerce website hosted by LunarPages. Our site collects credit card numbers and transmits them to SkipJack (credit card processing agent) for processing. We do not store the numbers nor do we transmit any more of the stripe data than the acct no, expiration date and CCV number. We have hired a service to analyze our site for PCI compliance. The report comes back with a few violations, all of which have to do with the LunarPages server configuration.

Question is, who is liable for the non-compliance? Are we (the vendor) or is LunarPages (the ISP)? We are a Level 4 merchant by PCI definition. Actually, the question probably comes down to the defintion of who is transmitting the data. We collect the data through our website, but I believe LunarPages would be defined as the transmitter of that data. Hence, they carry the burden of being PCI compliant and responsible for any non-compliance.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2007-09-04 at 06:23:58ID22805186
Tags

pci

,

compliance

Topics

E-Commerce Security

,

E-Commerce

,

Miscellaneous Security

Participating Experts
4
Points
500
Comments
10

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. PCI compliance requirements  ???
    Are shopping carts allowed to store credit cards so when the customer returns to the store the cards will be on file? I'm have been looking for a shopping cart package and noticed that they do not keep the customers credit card info and require the customer to enter it again...
  2. Internal encryption for a PCI Level 2 Merchant
    We are a PCI Level 2 Merchant. We have met every single area of PCI compliance except there is an outstanding question around encryption. Does the PCI v1.2 DSS state anywhere that CREDIT CARD NUMBERS must be ENCRYPTED when in TRANSIT on an INTERNAL network? For example we ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: QBRadPosted on 2007-09-04 at 06:36:08ID: 19825000

I would think that both of you would be liable.  

If I am a customer of yours and give you my info and you put it in your system, I am going to assume that you are doing what you need to for the sake of security.  I'm also going to assume that you have some type of security spelled out on your site stating that your Credit Card info and any other info is secure on your site.

Then, you the company can go after lunarpages for their lack of security ecspecially if it is again spelled out on their site or in their documentation.

My point is that if i get my info stolen such as identity or credit card info, i dont care if your hosting company wasnt secure i'm going after you since you took my info knowing that the data wasn't secure.  Then i may go after lunar pages as well.

Just contact lunar pages and see what you can do to fix the issues.

 

by: softechnicsPosted on 2007-09-04 at 06:47:04ID: 19825073

>> I would think...

Not good enough. I need facts and references.

We have done all we can to insure credit card info security, ie SSL connection. The rest is out of our hands within the confines of our hosting agreement. However, that may not be enough to protect us from liability. This is what I'm trying to confirm.

Thanks for your response, though.

 

by: CoccoBillPosted on 2007-09-04 at 08:08:35ID: 19825705

I don't have any hard facts (apart from the PCI standard itself) or references so take this with a grain of salt, but judging by your description you are both liable. I'm assuming that neither you nor the hosting company are PCI certified? This is from PCI DSS v1.1:

"PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. These security requirements apply to all system components. System components are defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include but are not limited to the following: web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (Internet) applications."

The key point here is that when negotiating a deal with your hosting provider, you need to make them aware of the PCI DSS requirements and require compliance from them. Even this, however, will not remove nor limit your liability as the vendor. The appendix A in the DSS, "PCI DSS Applicability for Hosting Providers" specifies the _additional_ requirements that apply to them as a hosting provider.


If I'm wrong, someone please correct me, since I'm currently working on a PCI DSS certification project. ;)

 

by: billwhartonPosted on 2007-09-04 at 11:55:38ID: 19827454

Only you would be liable. An Internet service provider or carrier is just that - they host stuff for you but they aren't responsible for what you host, etc. Almost think of it as an attitude of 'you rent an apt from your landlord' but if you decide to grow weed or have a tiger as a pet, the landlord is never held responsible.

I've seen a lawsuit with a similar law before which the ISP won. I'll try to find a link

Your service provider needs to be informed of your exact requirements and it's up to them if they can suffice those or not.

 

by: softechnicsPosted on 2007-09-04 at 12:12:28ID: 19827586

billwharton:

Do we need be concerned about PCI Compliance if we collect data over an SSL using 128-bit encryption and our ISP transmits that data to our credit card processing agent also over SSL using 128-bit encryption and we, nor our ISP, actually records, saves or stores any of that credit card information? I would think only the credit card processing agent would possibly need to be PCI Compliant - and I'm not sure if even they would be, as long as they are not storing that data and only transmit it to the bank, also across SSL.

 

by: billwhartonPosted on 2007-09-04 at 14:07:28ID: 19828537

You're putting it a little differently now and I'll answer this question as its own

1) The good thing you're doing here is not storing credit card data

2) If you're using SSL 128-bit, you're good for the moment. You are the transmitter though, not the service provider. The service provider simply provides you hosting resources, nothing else. They're not required to be compliant to anything except what they state in their IP SLA agreements with you

What sections did you fail on the audit?

 

by: CoccoBillPosted on 2007-09-04 at 14:38:49ID: 19828715

Are we talking about the same PCI DSS here? :) The Payment Card Industry Data Security Standard is widely known as the most expensive security standard on the planet to implement, and it specifies around 270 detailed requirements, ranging from configuration management, regular penetration testing and auditing, 24/7 incident response teams and over 250 similar ones. Just using 128-bit SSL is not actually anything close to resembling compliance.

As stated in the PCI DSS, "if a Primary Account Number (PAN) is stored, processed, or [b]transmitted[/]".

Also regarding hosting providers, from Appendix A:

"As referenced in Requirement 12.8, all service providers with access to cardholder data (including hosting providers) must adhere to the PCI DSS."

I think those statements are quite clear.

 

by: softechnicsPosted on 2007-09-05 at 05:50:45ID: 19831750

>> The good thing you're doing here is not storing credit card data

Right. And the transmission of the data is the only part of the standard to which we are exposed. This is what I'm trying to clarify.

Our ISP (LunarPages) had one major failure (level 7): Their mySql database server is listening on port 3306. It is possible to extract the version number of the remote installation by receiving the server greeting.

Again, we are not storing the CC data, so a vulnerability in their DB server should not concern us.

They also had 4 mid-level (level 4) failures:

1. The following ports were open at the beginning of the scan but are now closed: ....

Not sure what this means. It goes on to state that the open ports were closed prior to completion of the scan. Don't know if this is still a vulnerability or not.

2 & 3. The remote Apache server can be used to guess the presence of a given user
name on the remote host.

Identical failures on two ports: 80 - http and 443 - https.

4. The remote service encrypts traffic using a protocol with known weaknesses (port 993: imaps).

I'll contact LunarPages on this one. They claim all upgrades and patches have been applied to their servers. Obviously, they missed this one.

I don't believe any of these vulnerabilities really affect us as long as we only transmit the data and do not store it. Agree?

If CoccoBill is correct (I assume he is), the burden of proof lies with the ISP. As you can see, all these vulnerabilities listed above lie with the ISP server. We have no control over their server configuration - we can only inform them of the vulnerabilities and leave it up to them to take corrective action. Our only recourse is to leave them and find a compliant ISP. I hate to do that because I am very satisfied (in every other way but this) with LunarPages.

 

by: softechnicsPosted on 2007-09-05 at 05:52:38ID: 19831765

I'm increasing the point value on this question as it is becoming more involved and it's very important to get a definitive answer.

 

by: tim_holmanPosted on 2008-08-06 at 06:15:37ID: 22169810

To clarify, whomever the owner of the credit card buys things from (ie the merchant), is responsible for PCI DSS compliance.  If they don't store/process/transmit and hand off to a service provider, then the merchant is STILL responsible for PCI DSS compliance, however it's quite simple to address by ensuring you have contracts in place between merchant and service provider indicating whom has liability for PCI DSS compliance.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...