News and Information

Dealing with PCI Compliance Issues on Ecommerce Websites

PCI 3.1 Compliance is becoming increasing difficult for small businesses.  The PCI guidelines do not always reflect reality and the small business is faced with hiring expensive consultants and paying high costs to come into compliance for a business that often does not generate a lot of revenues.

If you run into the following failed scan result from a PCI scan --Insecure SHA-1 Certificate Signature Algorithm in Use   -- then there are relatively simple ways to handle this.  Sure, you can purchase a third party signed certificate for $400+ per year, or you can self-sign a certificate.  The latter is definitely not the ideal scenario, but many small businesses simply cannot afford additional expenses such as the cost of a certificate.

The following information was found around the internet but not in one place and was difficult to gather and understand.  This has been tested on Windows Server 2012 R2.  This will require some knowledge of windows command prompts and windows servers in general.


1. Download the file New-SelfSignedCertificateEx.ps1 from the following website:https://gallery.technet.microsoft.com/scriptcenter/Self-signed-certificate-5920a7c6

2.  Run powershell as admin:

3. navigate to path of the New-SelfSignedCertifcateEx.ps1 file. 

Next you must "dot space" it as shown below:

. .\$path\New-SelfSignedCertificateEx.ps1

4.  Execute this command in powershell:


New-SelfSignedCertificateEx -Subject "CN=[SERVERNAME]" -EKU "Server Authentication" -KeyUsage "KeyEncipherment, DataEncipherment" -StoreLocation "LocalMachine"   -SignatureAlgorithm sha256 -Exportable -NotAfter 2020/04/01


5.  next go to personal certificate store and find the newly created certificate.  Navigate to properties to find the SHA1 thumbprint. e.g., cb 84 88 55 a7 5c 39 8f 5f 23 c4 c6 d5 a1 11 72 d3 48 ec 92



remove the spaces and insert to where it says THUMBPRINT below.

 

6.  Copy the certificate from personal store into the remote desktop store.


7.  Run following at command prompt  as admin (remove spaces from thumbprint sha1):

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"

 

8.  delete the old certificate from the remote desktop store.


 


Handling CCV codes in MOTO transactions on e-commerce sites

We were presented with the challenge to develop a credit card payment method that also complied with the payment network PCI DSS requirements.

Specifically, we wanted all the protection of using the CVV code without the potential liability of storing it in our database. The new PCI DSS requirements make it all but impossible for a merchant or software provider to store CVV codes due to the onerous requirements now imposed in doing so.

Unfortunately, the payment networks don't provide good information on how to work around these issues. So I am providing this information as a service for others who may have similar issues.

The CVV code is a three or four digit code on the back of the credit card. It is not encoded in the mag stripe, so it is intended to reduce fraud by requiring, theoretically, the purported cardholder to have the card physically in their possession.  In reality, it is possible for someone who temporarily has the card in their possession (such as a restaurant server or cashier) to read and obtain the CVV code.

On a e-commerce site, the question arises when to collect the CVV information and when (and if) to store it.

Based on our experience, our recommendation is to check the CVV code when the card information is first presented by the buyer using an AUTH transaction. If the CVV code comes back as valid, then delete the CVV code and store a flag with your information such as "is_CVV_valid" is True.

When the sale is completed store this flag along with the encrypted card number.

According to our representatives at the payment processors, interchange is not downgraded for failure to include the CVV in a transaction request. However, the CVV code does provide some protection against chargebacks. This is why it is important to store the CVV validity flag. If a problem arises, you can present evidence showing that you validated the CVV code and it came back as valid. (This is why you need to store the boolean flag with the transaction details).

I hope this helps some people.

Ensuring legal compliance in the software development process

Most software developers are knowledgeable of software. They may or may not know the business requirements well unless they are developing around a known set of requirements. But in addition to business requirements, there is also the issue of legal and compliance issues. These days, it is hard to find any type of industry that does not have some type of compliance issues.

Legal compliance is one area that is almost never is addressed during software development, save for development in highly regulated businesses, or in Fortune 500 companies that have vast legal resources. From past experience, I have been involved in such practices and know this is the case. However, I would estimate that a large majority of small developers and even most SMB applications never undergo a legal or compliance review.

A simple example is Can Spam Act compliance. During a review of an entire vertical industry in the CRM space, not one software application had undertaken any effort to include any type of Can Spam compliance. My feeling is that most of the developers didnt even understand the regulations much less have any idea how to implement them. Our experience was that the implementation for our clients was quite simple and really did not involve much work. It only required a basic understand of the laws and regulations.

When software projects are behind budget -- which almost all are or will be at some point -- it is easy to cut out compliance measures. But I would argue that this is very short sighted since including such functionality is, as I described, quite easy and can provide a competitive advantage to those who dare to approach the subject.

Hire a software developer or consultant who has experience in legal and compliance issues and who takes a complete view of the software development process. It will be money well spent.

For more information about this or any other subject, please contact us at www.goldcirclesystems.com