Most Popular
Recently Added
Recently Updated

PCI Compliance

If you are accepting payment via credit card, it is likely that at some point your credit card merchant services provider may require regular PCI Compliance scans.

Your server was built for PCI compliance and we highly recommend signing up for free PCI scanning.

Why should I be PCI compliant?
To earn validation of PCI compliance, network devices being audited must pass tests that probe all of the known methods hackers use to access private information, in addition to vulnerabilities that would allow malicious software (i.e. viruses and worms) to gain access to or disrupt the network devices being tested.

If you've been notified your web site does not pass PCI compliance testing please see the below:

  1. Self-help. Tips and techniques to help you to comply with PCI security standards.
  2. Email to Scanning company. Wording you may email to scanning company requesting the false positive entry be cleared from your report.
  3. Escalation of the issue. If these first two steps above do not resolve issues listed in your PCI compliance report, please submit a request to our PCI compliance support team and we will work with your PCI compliance scanning company until the matter is resolved.

If the vulnerability listed in your compliance report is not described below please contact support for review.

Vulnerability: Name Apache UserDir Sensitive Information Disclosure, or UserDir module is enabled
This item is ranked as "high" severity in some PCI scans, though is ranked low in McAfee Secure scanning. From a hosting company standpoint this is an essential tool for new customers and allows customers to use a shared SSL certificate. We do not believe it should be ranked as high given the random nature of web site usernames. That said, you may do the following to clear this item from your compliance report.

Self-help
Add or update your .htaccess file:

Options All -Indexes
RewriteEngine On
ErrorDocument 400 http://your_domain.com/400.shtml
ErrorDocument 401 http://your_domain.com/401.shtml
ErrorDocument 403 http://your_domain.com/403.shtml
ErrorDocument 404 http://your_domain.com/404.shtml
ErrorDocument 500 http://your_domain.com/500.shtml

Add these files to your public_html directory as well. You may likewise edit these files via the cPanel Error Page option.

Vulnerability: Web Directories Listable Vulnerability

Self-help
You may close this via cPanel. See: Advanced Tools ::Index Manager for details

Vulnerability: This SMTP server is running on a non standard port
This is a false positive.

Email to Scanning company
"My server offers port 26 as an alternate port to 25 (often blocked by ISP's). Please clear this entry from our vulnerability list."

Vulnerability: Your computer is responding to scans on this port, port 995
This is a false positive.

Email to Scanning company
"Port 995 is using sslv3 and tls1. Please clear this entry from our vulnerability list."

Vulnerability:
TCP 53 domain 1 A DNS server is running on this port.
UDP 53 domain 1 A DNS server is running on this port.


Email to Scanning company
"My server provides DNS for local domains. Please clear this entry from our vulnerability list."

Vulnerability: OpenSSL Password Interception
This is a false positive.

Email to Scanning company
"My server is running openssl version OpenSSL 0.9.7a or later. Please clear this entry from our vulnerability list."



Other references:
Properties ID: 000122   Views: 3372   Updated: 13 years ago