PCI Security Scan: Prevent IP and Port from being disclosed

[Adam Siemiginowski]

Hello,

I am running an Asus RT-AC87U, and recently failed a PCI Assessment Security Scan (Credit Card Merchant) for the following logic:

"We have denied this dispute based upon manual investigation confirming that the encoded IP address and port of the information server is being disclosed.

As far as relevance to PCI-DSS, this finding would constitute a violation of Requirement 6 - Develop and Maintain Secure Systems and Applications, more specifically Requirement 6.2, as potentially sensitive data is disclosed to an outside attacker."

How would you advise I test / resolve this? We have our firewall turned on, and pass all points in the Routers Security Check.

Best,
Adam

 

[ColinTaylor]

I don't think we're in a position to offer any technical advice as we know nothing about what they're testing, how the information is being disclosed or the software you're using.

On a more general note, I think it's really for you to work with the vendor of your application software to fix these issues. I've dealt with PCI compliance setups myself and it's not something that internet forums can really help with.

 

[sfx2000]

Wow, they're really cracking down on PCI compliance these days. We've had similar question pop up from time to time here on the forums, not specific to Asus, but with other consumer gear as well.

Friend of mine recently had to go thru updates on his Points of Sale and readers - and as part of the package, they also installed a network appliance that goes into a secure SD-WAN (Software Defined - Wide Area Network) which is similar to a VPN connection, but more involved. Sometimes this may be referred to as Managed Network Service Platform (MNSP).

Couple of useful references...

https://www.cybera.com/cybera-platform/
https://www.vfne.co/MNSP

There are specs around PCI - one is the EMV spec (EuroCard, MasterCard, Visa, and Amex/Discover follow same), and recent industry changes are moving counterfeit fraud from the banks to the retailer that is non-compliant with the spec

sounds like in your case, this is what happened...

I would reach out to your card processor, and find out what they recommend for your connectivity solution.

I think the take-away here is do not use consumer gear in the chain of trust between the card and the processor...

Good luck!

 

[RMerlin]

Wow, they're really cracking down on PCI compliance these days.

Not surprising, because a few of those "expert compliance validators" are doing a pretty craptastic job. A few years ago, one of my customers was told they needed PCI compliance because they were taking credit card donation within one of their software suites (which has a CC processing module). The customer and I spent two hours pouring over the questionnaire, leaving us with a few head scratchers for their case. For instance, how do you implement mandatory password expiration or workstation inactivity lockout in a peer to peer workgroup consisting of one Windows desktop and two Macbooks, and no server? Or keep complete login audit logging for these three computers? Yes, the customer was THAT small, and investing in a 5000$ Windows Server infrastructure (not taking into account the implementation itself) was out of the question. So, the customer contacted the PCI validating company to ask them what she could do about it, or how to answer these questions that didn't really apply to their environment. The company basically replied to... fudge the answers to these questions. And they gave her a green check after she sent them the half-fudged form filled up. Which led the customer to tell me "WTF did we need to spend two+ hours on this if they don't care about the answers?!").

Now, just to reassure anyone, in the end the customer never went ahead with the plan of processing credit card info internally, it was all left in the hands of a third party web portal, so that internal compliance wasn't required in the end. But it shows how some of these validators are doing a really poor job at properly validating that you meet the requirements.

As for this specific case, I'm not sure what they are telling you there. If it can be reached over the Internet, then of course, it's internal IP and port will be visible from the outside. In this case, best to check with the vendor of that equipment who might have a better idea about your specific "issue".

 

[sfx2000]

As for this specific case, I'm not sure what they are telling you there. If it can be reached over the Internet, then of course, it's internal IP and port will be visible from the outside. In this case, best to check with the vendor of that equipment who might have a better idea about your specific "issue".

I'm presently dealing with another industry that is equally, for lack of a better word, >()*()<, about end to end security... I get it, so it goes into the design.

With OP's situation - really comes down to what the payment card processor recommends for the edge on the premises...