PCI Compliance issues reported by scanning company

[NEAPMS]

We are using Zen Cart 1.3.9. Our PCI Compliance scans were fine through May, but we have failed the last 3. Here are the issues from the Scan:

--------

1 - Problem: The service running on this port (most often Telnet, FTP, etc…) appears to make use of a plaintext (unencrypted) communication channel. Payment industry policies (PCI 1.1.5.b, 2.2.2.b, 2.3, & 8.4.a) forbid the use of such insecure services/protocols. Unencrypted communication channels are vulnerable to the disclosure and/or modification of any data transiting through them (including usernames and passwords), and as such the confidentially and integrity of the data in transit cannot be ensured with any level of certainty.
Fix: The service running on this port (most often Telnet, FTP, etc…) appears to make use of a plaintext (unencrypted) communication channel. Payment industry policies (PCI 1.1.5.b, 2.2.2.b, 2.3, & 8.4.a) forbid the use of such insecure services/protocols. Unencrypted communication channels are vulnerable to the disclosure and/or modification of any data transiting through them (including usernames and passwords), and as such the confidentially and integrity of the data in transit cannot be ensured with any level of certainty.

2-Problem: There is a web application running on this host that transmits login credentials over HTTP, which is a cleartext protocol. As such, if an attacker was able to intercept traffic containing login credentials, it would be trivial to view user account and password information.
Fix: All web application communications containing sensitive information should be transmitted using SSL/TLS (HTTPS). If re-direction from HTTP to HTTPS is utilized in an attempt to remediate this finding, please ensure that such re-direction occurs on the server side of the system (for example via the use of the HTTP "Location" header element) and that re-direction is not reliant upon the client (browser) side.

3-Problem: One or more remote access services were detected on the remote host. As defined by the PCI ASV Program Guide: "remote access software includes, but is not limited to: VPN (IPSec, PPTP, SSL), pcAnywhere, VNC, Microsoft Terminal Server, remote web-based administration, ssh, Telnet."
Fix: Note to scan customer: Due to increased risk to the cardholder data environment when remote access software is present, please 1) justify the business need for this software to the ASV and 2) confirm it is either implemented securely per Appendix C or disabled/ removed. Please consult your ASV if you have questions about this Special Note.

-----------

We do need help with this as much of this language is not clear. I cannot be sure if we need to do something on the site or not. We are also in contact with our hosting company. Any leads on what we should do to rectify this situation would be much appreciated.

[dbltoe]

Part of this is the responsibility of your host and the other may or may not be yours. Do you have an SSL certificate installed? Are you on a shared server? Have you addressed any of this to your host?

Did you read the posting tips? One of the Questions is -- "WHEN did the problem "start"? How does that compare with other events of your hosting company, changes you've made to your site files/addons, or your admin settings, etc?" You addressed the first part but there's a lot more to be learned by answers from the last part.

Some of these problems might be caused by an older mod or a checkout mod.

<soapbox>Why is it that people come to the forum and don't seem to want to provide all the information they can to solve their problem? If I report a problem (regardless of who gets the report), I'll generally include everything I can that might remotely be helpful. Including what color socks I was wearing when it happened.</soapbox>

Perhaps we need to add to the posting tips -- "Do you have SSL installed? Standard or Full Cart?"

[DrByte]

#1 and #3 are definitely things your host needs to fix

#2 could be related to something completely separate from your ZC store. Posting the details of their proof-of-concept is critical in determining what exactly the vulnerable component is. What you posted is basic generic info and contains no URLs to your store or the pages where the alleged problem was found. The URL to the problematic pages is crucial. If the URL in those problematic pages doesn't point to a URL of your actual ZC store area, then take the matter to your host to fix because it's probably related to another login service offered by the server generally, and not to your store or Zen Cart.

[NEAPMS]

Hi

Sorry for not including all info, but, to be honest, I'm not always sure what full info would be.

At any rate - yes there is an SSL and we have the standard cart. I am addressing this issue with the host company who are being less than helpful. I have not been able to ascertain if server upgrades, changes or anything else might have occurred during June on the server. It is, I believe, a shared server. To my knowledge, nothing was done to the site itself between a passed PCI scan on May 30, 2013 and a failed scan on June 30, 2013.

I am considering advising an upgrade to the current version of the cart to see if that takes care of the problem. I'm hoping to get more info from the hosting company but I'm not holding my breath.

Thanks for your reply. Any other helpful thoughts/suggestions would be welcome.

[NEAPMS]

Thank you, this info is helpful. I will, hopefully get some feedback from the hosting company.

[DrByte]

You said you're using v1.3.9. And, while there were no major security issues between 1.3.9 and 1.5.0, there were changes made to 1.5.0 to tighten things up for PCI compliance reasons. So an upgrade may be helpful.
But chances are the reason your scan started failing suddenly is that PCI standards continue to evolve over time, and when new vulnerabilities are found in old software (whether that "software" is tools and support services on your hosting account, or in apps you install yourself like ZC) the results of the new scanning rules may cause scans to fail when they didn't previously.
It behooves good hosting companies to continue to keep their server software up-to-date ... and merchants to keep their stores up-to-date too.
Even PHP versions which were considered acceptable 3 months ago might be considered unsafe now because of problems found in them since then. It's those kinds of things that you *want* the scanner to find so they can be fixed.
Hopefully your hosting company will be responsive to the need. If not, there are many hosts that keep their servers tuned for compliance, and some of them even specialize in Zen Cart. See the "Services" tab at the top of this page for some suggestions.