-4

We received an alert that we need to correct some issues with PCI compliance.

Is there a service we can use to quickly resolve these issues?

The auditing firm issuing the alert provides uninformative messages and instructions on how to correct the errors.

For instance, we got flagged on this security violation, "Description: Cross-site scripting vulnerability in category parameter to URL X."

But there was no help whatsoever.

Crashalot
  • 177
  • 3
  • 11

3 Answers3

3

No - there is not a quick solution to this problem.

Your options are:

  1. Engage a IT Security firm or consultant who has experience with PCI compliance and will be able to guide you through the process. (this may be the fastest but have the highest real dollar cost)
  2. Fix the issues yourself by learning how to interpret the audit findings (this may require help from several folks on your team)
    1. Gather the appropriate people from your team
      • Programmer (for software fixes - ideally with application security experience)
      • Network security engineer (for network security fixes)
      • Business analyst (someone who understands your interactions with credit card data)
      • Compliance specialist (if you have one)
    2. Review the audit findings report and isolate each negative finding.
    3. Assess each negative finding to understand the issue and assign someone to fix them
      • The example you mentioned "Description: Cross-site scripting vulnerability in category parameter to URL X." is just a possible IT security vulnerability and is not directly related to PCI compliance but is likely to be flagged in an audit.
      • Auditors will typically run automated vulnerability scanning tools against applications and these tools often cause false positives. For example: the XSS vulnerability may not be a real vulnerability but the tool is flagging it as suspicious. In my experience it is easier to just fix these issues than to try to explain why it is a false positive each time.
    4. Review the PCI DSS guidelines to make sure you understand them and that there are not other areas that need to be addressed.
    5. You should be ready for next PCI DSS audit now!
jamiescott
  • 64
  • 5
2

Searching with the search phrase "information security firm" should get you started in the right direction.

user48838
  • 7,431
  • 2
  • 18
  • 14
  • thanks, but we're not looking to engage a consulting firm. are there any free resources or web tools we can use to help narrow PCI compliance? – Crashalot May 26 '11 at 19:14
  • for instance, this is one area we got flagged on: "Description: Cross-site scripting vulnerability in category parameter to URL X." – Crashalot May 26 '11 at 19:17
  • 1
    @Crashalot, what do you suppose a "service we can use to quickly resolve these issues" is? What exactly are you looking for if you weren't looking for some security firm to help you? For your XSS vulnerability, you should pass that information on to the programmer who built whatever script is at that URL. – Brad May 26 '11 at 19:24
  • Crashalot, in that case, the actual test descriptions/condition would serve as the road-map against addressing the findings. The tools and resources will most likely vary based on each specific test condition. There may be some tools (whether free or otherwise) which might try to capture a snapshot of the tests, but their mileage will vary based on how current they stay up to date with any changes across time. – user48838 May 27 '11 at 19:42
1

Well, that actually should be enough to identify the application and route that is causing an XSS vulnerability. Your devs should be able to identify the code path that causes that and fix it. If it's not an internal application you are going to need to engage the vendor to get it resolved. This is assuming that they are giving you a real URL and not just 'X' if they are passing you just 'X' then you need to ask for clarification from the auditing firm.

Zypher
  • 37,405
  • 5
  • 53
  • 95