PCI compliance and VM server administrator

I have a situation where an application has to encrypt/decrypt some credit card data, each encryption key (it could be symmetric or private asymmetric) has to be in two separate places, managed by different people. One person cannot have access to any part of the key and the ciphertext it decodes at once. The application is a Windows service, it will have to have access to the whole key and the ciphertext in order to work on/process the decrypted data.

How can I make sure the server administrator (we use VMs) does not have access to both the key and ciphertext, but since it’s an admin account it will have full control over the VM (and thus the service)?

General question relating to ISO 27001 compliance

I received a question as follows: Does the vendor solution need to have the ISO 27001 certification for the application itself, or just for the hosting of the platform?

In my understanding, ISO 27001 cert concerns companies/vendors and includes both solution and the hosting platform. Are they separable? In the case of SAAS solution, can I have the platform certified and the app not?


PCI Compliance & Third Parties

Let’s say there is a company (name: X) which is PCI certified and compliant as a merchant. In terms of PCI compliance, what does company X has to consider while working with third parties? E.g. for a business reason company X needs to forward hashed PAN numbers to a third-party provider (name: Y). What does company X have to do in order not to violate PCI compliance? Is there a document I can read from?

Thank you,

Final-Mile Shipping Company Wants Customer Email Address – PCI Compliance Issue? (United States)

My company ships very large, very heavy products to the homes of everyday consumers (think big home renovation materials). Currently, we provide the customer’s name, shipping address, and phone number to the factory. The factory then provides that information to a freight company who will then provides it to a final-mile delivery company.

The final-mile delivery company wants us to provide the customer’s email address so they can improve the delivery time frame. Customers are significantly more likely to respond to an email than they are to a phone call. Text messaging isn’t, apparently, effective enough either, because there are still land lines in play.

We ship only to the continental United States, so we don’t fall immediately under the GDPR umbrella, but my concern is that providing this email address to other businesses in our manufacturing and delivery pipeline will have PCI compliance consequences.

It would be simple if I could just add a disclaimer into our Terms and Conditions that explains that we will give the customer’s email address to other entities for the purposes of shipping and delivery, but that information won’t be used for marketing purposes, but I’m afraid that there are implications I’m not considering.

Can anyone provide any insights about how I should approach this problem?

SOC 1 & 2 compliance with outsourced development team?

My company just hired a team in India for development work. They will have full access to our network via VPN. They will not have access to client data directly. My question is…

Are we required to follow the same controls for offshore contractors as we are for fulltime employees? ie… background checks, NDAs, Policy Approvals, Security Awareness.

HIPPA Compliance: Employees/Contractors accessing patient health info from another country?

We are a digital health tech startup dealing with mental health. Our tech team is remote (South America & Asia) and our operations are in Australia & US. I haven’t been able to understand whether allowing remote access from another country affects HIPPA compliance.

Bringing in more controls on data access/requiring a VPN etc isn’t a problem. I can get those in place. But I wasn’t able to find anything in the legislation (which does not go into specifics) or industry blogs about the impact of remote access from another country. Is all remote access the same for HIPPA?

WCAG 2.0 compliance: do I have to support browsers which don’t support JavaScript?

WCAG 2.0 has some requirements on robustness: “Content must be robust enough that it can be interpreted reliably by a wide variety of user agents, including assistive technologies”, but it doesn’t mention JavaScript explicitly.

Now I have a project where I have to meet WCAG 2.0 recommendations. Do I have to support browsers / user agents which don’t support JavaScript?

Paypal and PCI Compliance

I currently manage a few of my client’s websites on a couple shared hosting providers “A2Hosting” and “Interserver”. My client is wanting to make a simple webstore and accept payments from that said webstore. I was going to implement this by passing off the transaction to Paypal, letting them handle the entire checkout part and handle all credit card information.

Will this be PCI Compliant (SAQ-A i hope) on my end? I currently have the website SSL locked down with “Let’s Encrypt”. I will be storing no user payment information in the databases and will not be touching any payment information on my server. (handing off to Paypal entirely)

Do I have to file anything for this? Or will simply attaining an AoC from Paypal be enough to cover this?

How to Remove / Find out if it’s Installed: Oracle iPlanet Web Server on Ubuntu – PCI Compliance Vulnerability

I’m the last stretch of getting a Server fully PCI Compliant, however there’s 2 more points I have spent hours researching and can’t find accurate or up to date information about.

On the Scans I’m getting this 2 Flags as High Risk Vulnerabilities:

  1. WebSphere JSP source disclosure in web document root
  2. Sun ONE Application Server source disclosure

The Server O/S is Ubuntu Server V 16.04.5 LTS and is running

  • Odoo V11 Enterprise Edition
  • Postfix 3.1.0
  • Dovecot 2.2.22
  • Apache 2.4.38
  • PostgreSQL 11.3
  • Python 2.7.12
  • Python 3.5.2

When I run a Scan and try the following:

Information From Target: Service: https Sent: GET /web/content/59950-fae3f18/index.JSP HTTP/1.0 Host: novathreads.us User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Connection: Keep-alive Cookie: session_id=7e72f6c77a05598387c0d015fa80050966f5cffe

I get:

Received: return .isFunction(value)?value.call(object):value;};var idCounter=0;.uniqueId=function(prefix){var id=++idCounter+”;return prefix?prefix+id:id;};_.templateSettings={evaluate:/<%([\s\S]+?)%>/g,interpolate:/<%=([\s\S]+?)%>/g,escape:/<%-([\s\S]+?)%>/g};var noMatch=/(.)^/;var escapes={“‘”:”‘”,’\’:’\’,’ And: return .isFunction(value)?value.call(object):value;};var idCounter=0;.uniqueId=function(prefix){var id=++idCounter+”;return prefix?prefix+id:id;};_.templateSettings={evaluate:/<%([\s\S]+?)%>/g,interpolate:/<%=([\s\S]+?)%>/g,escape:/<%-([\s\S]+?)%>/g};var noMatch=/(.)^/;var escapes={“‘”:”‘”,’\’:’\’,’

Which is being flagged by my Approved Scanning Vendors as a High Vulnerability as it exposing information about the session and server.

I have searched intensively and it seems that either these are deprecated or very specific in use.

The only semi usefull information I found is that those doesn;t exist anymore and nowdays turned inot Orcale iPlanet Web Server.

What I desperately need is a way to find out if they’re installed to either disable them or to prove that they’re not installed to my SAV and dispute the vulnerability.

Would someone be kind enough to show me how can I determine if they’re installed or not?

Will this work to try to deny execution of .jsp files on Apache?

<Files  ~ "\.jsp$  ">    Order allow,deny    Deny from all </Files>