Calguns.net  

Home My iTrader Join the NRA Donate to CGSSA Sponsors CGN Google Search
CA Semiauto Ban(AW)ID Flowchart CA Handgun Ban ID Flowchart CA Shotgun Ban ID Flowchart
Go Back   Calguns.net > GENERAL DISCUSSION > Technology and Internet
Register FAQ Members List Calendar Mark Forums Read

Technology and Internet Emerging and current tech related issues. Internet, DRM, IP, and other technology related discussions.

Reply
 
Thread Tools Display Modes
  #1  
Old 02-22-2013, 11:40 AM
chris1911's Avatar
chris1911 chris1911 is offline
Veteran Member
 
Join Date: Aug 2012
Location: The Meeting Place
Posts: 4,064
iTrader: 0 / 0%
Default PCI Compliance and SSL Certificates

My company is going through PCI Compliance right now and we have an issue. We have our domain www.ourdomain.com for example and our server locally (it's really just a workstation in our workgroup) that we download our orders to. It also downloads credit card information, customer information, etc. We got a response from our PCI scan saying that port 443 doesn't have a trusted SSL cert because it's self signed by our Sonicwall. We use LogMeIn on this port and must have it.

We purchased a SSL certificate from GoDaddy but when generating the CSR request from our Sonicwall we used our WAN IP from the Sonicwall as the Common Name. GoDaddy says you can't use IANA IPs as the CN any longer and that you have to have a domain name associated with it. Does anyone know what I should do here? The GoDaddy site says we can check a box that says it will be used on an internal network but I don't think they will be able to verify the cert that way when they do the port scan. Any advice would be greatly appreciated.

-Chris
__________________
"I like to think there are three measures of a man: How much steak he can eat in one sitting, how full his mustache is and how quickly he can whittle a spear in the event of the apocalypse." - Ron Swanson

Quote:
Originally Posted by Champ Kind
I believe if Jesus owned a sidearm he wouldn't have been crucified.
Reply With Quote
  #2  
Old 02-22-2013, 3:30 PM
ocabj's Avatar
ocabj ocabj is offline
Calguns Addict
 
Join Date: Oct 2005
Location: Riverside
Posts: 7,202
iTrader: 40 / 100%
Default

Do you only have one single publicly addressed IP and all of your hosts are NAT'ed behind that single IP (SonicWall device) and using RFC 1918 addresses?

If so, does that single publicly addressed IP have ourdomain.com as it's host/domain name binding?

If so, shouldn't you just request the certificate with ourdomain.com as the CN and then use that certificate on the web server behind your SonicWall device?
__________________

Distinguished Rifleman #1924
NRA Certified Instructor (Rifle and Metallic Cartridge Reloading) and RSO
https://www.ocabj.net | http://jocabphoto.com

My AR15 Service Rifle - Used for CMP/NRA High Power Service Rifle Competitions
My Eliseo R5 (Remington 700) Tube Gun - Used for NRA High Power (Match Category) Competitions
My M1 Garand Service Rifle - Used for JCG Matches, rebuilt by Dean's Gun Restorations
Reply With Quote
  #3  
Old 02-22-2013, 4:35 PM
chris1911's Avatar
chris1911 chris1911 is offline
Veteran Member
 
Join Date: Aug 2012
Location: The Meeting Place
Posts: 4,064
iTrader: 0 / 0%
Default

Quote:
Originally Posted by ocabj View Post
Do you only have one single publicly addressed IP and all of your hosts are NAT'ed behind that single IP (SonicWall device) and using RFC 1918 addresses?

If so, does that single publicly addressed IP have ourdomain.com as it's host/domain name binding?

If so, shouldn't you just request the certificate with ourdomain.com as the CN and then use that certificate on the web server behind your SonicWall device?
ourdomain.com is hosted off site and our network just has one static IP to our router. I ended up getting it solved though after about 8 hours of banging my head against the wall.

I took one of our domains not in use and created an A Record for our IP. Then I just submitted the CSR with the CN for the new domain and it all appears to be working after having to spend about 2 hours reconfiguring our entire router
__________________
"I like to think there are three measures of a man: How much steak he can eat in one sitting, how full his mustache is and how quickly he can whittle a spear in the event of the apocalypse." - Ron Swanson

Quote:
Originally Posted by Champ Kind
I believe if Jesus owned a sidearm he wouldn't have been crucified.
Reply With Quote
  #4  
Old 02-22-2013, 4:27 PM
bigbearbear's Avatar
bigbearbear bigbearbear is offline
Veteran Member
 
Join Date: Jun 2011
Posts: 4,670
iTrader: 0 / 0%
Default

You need to do as they say, generate the CSR using your company domain name. For example, if you own a domain ourdomain.com, you can generate a SSL certificate with a Common Name (CN): web.ourdomain.com or www.ourdomain.com. Basically any name plus a dot (.) followed by your domain name.

After you have done this, you will also need to register your domain name with your DNS provider so that the full address (eg. web.ourdomain.com or www.ourdomain.com) resolves into the IP address on your Sonic firewall.
Reply With Quote
  #5  
Old 02-25-2013, 11:59 AM
mud99 mud99 is offline
Make Calguns Great Again
CGN Contributor
 
Join Date: Oct 2011
Location: Bay Area
Posts: 1,077
iTrader: 11 / 100%
Default

You should inquire with your merchant. You can get a PCI compliance waiver, and it only costs a few more dollars than doing the routine scans.

Our company has been out of PCI compliance for years and I couldn't be happier!
Reply With Quote
  #6  
Old 03-13-2013, 1:09 PM
EurekaPayments's Avatar
EurekaPayments EurekaPayments is offline
Vendor/Retailer
 
Join Date: Feb 2012
Location: Eureka, CA
Posts: 130
iTrader: 1 / 100%
Default

There is PCI Insurance available, but the risk of a data breach is well worth becoming PCI Complaint. If not for the compliance itself for the purposes of avoiding crazy fees from the card brands should a data breach occur.

If you have PCI Q's or merchant account Q's i would be happy to assist.

Any CalGunner opneing a merchant account with my company we also contribute 10% of revenue generated to CalGun Foundation....
__________________

Steve Kimberling
Eureka Payments
P)877-476-0570 Ext 200
F)707-476-0574
stevek@eurekapayments.com
Reply With Quote
  #7  
Old 03-13-2013, 1:27 PM
chris1911's Avatar
chris1911 chris1911 is offline
Veteran Member
 
Join Date: Aug 2012
Location: The Meeting Place
Posts: 4,064
iTrader: 0 / 0%
Default

We ended up getting it taken care off. We had to use one of our inactive domains to our routers static IP and then generate the SSL CSR using that domain. It ended up working out alright it was just a pain to deal with because we didn't want to use a domain to our router and apparently there has been an industry wide shift for SSL CAs to not issue SSL certs for IPs anymore.
__________________
"I like to think there are three measures of a man: How much steak he can eat in one sitting, how full his mustache is and how quickly he can whittle a spear in the event of the apocalypse." - Ron Swanson

Quote:
Originally Posted by Champ Kind
I believe if Jesus owned a sidearm he wouldn't have been crucified.
Reply With Quote
  #8  
Old 03-13-2013, 4:26 PM
Jason95357 Jason95357 is offline
Senior Member
 
Join Date: Feb 2013
Posts: 1,093
iTrader: 5 / 100%
Default

Just my two cents, but hosting any sort of PCI stuff and doing it correctly is a major pain (at least at the merchant level of transactions/dollars we were dealing with). Our processor didn't charge anything different to have the payment form hosted by them (as opposed to our server forwarding the results of the form to them via a back-end connection), so we went that route. Basically we have an iframe that loads from their page when they go to purchase and after the purchase the iframe is redirected back to our page. The customer doesn't know they ever left our site, but as far as PCI is concerned it is all third-party hosted (our server never sees any payment info), so the only thing we have to do for PCI is annually have a statement from the processor that they are PCI compliant and we are done.
Reply With Quote
  #9  
Old 03-14-2013, 9:39 AM
EurekaPayments's Avatar
EurekaPayments EurekaPayments is offline
Vendor/Retailer
 
Join Date: Feb 2012
Location: Eureka, CA
Posts: 130
iTrader: 1 / 100%
Default

Quote:
Originally Posted by Jason95357 View Post
Just my two cents, but hosting any sort of PCI stuff and doing it correctly is a major pain (at least at the merchant level of transactions/dollars we were dealing with). Our processor didn't charge anything different to have the payment form hosted by them (as opposed to our server forwarding the results of the form to them via a back-end connection), so we went that route. Basically we have an iframe that loads from their page when they go to purchase and after the purchase the iframe is redirected back to our page. The customer doesn't know they ever left our site, but as far as PCI is concerned it is all third-party hosted (our server never sees any payment info), so the only thing we have to do for PCI is annually have a statement from the processor that they are PCI compliant and we are done.
AGREED - most gateways out there host the actual transaction data on their server which removed nearly all PCI liability. However, the merchant STILL has to be PCI Complaint. But as opposed to major work and network scans etc, most merchants (unless you are EXTREMELY big volume) simply need to complete a SAQ (Self Assessment Questionnaire) that attest to the fact that transaction data if off loaded to the gateway and the merchant does not store any card holder data.

PCI goes beyond the electronic transmission of data. To be PCI Complaint you have to be sure not to store cardholder info even on paper in theoffice. If you get faxed orders for example with full cardnumbers, SHRED EM as soon as you enter the sale into the gateway.

PCI is a mess if you are storing data..... fairly easy to deal with is using a gateway to store the data. Also many processors are charging a "PCI MONTHLY FEE" if you are compliant PLUS a "NON COMPLAINT FEE" if you are not. Often this 20-30 fee can be eliminated simply by completing the SAQ...

Business owners... check you CC Processing statements... if you are being charged a PCI NON COMPLIANT FEE.... you are wasting money...
__________________

Steve Kimberling
Eureka Payments
P)877-476-0570 Ext 200
F)707-476-0574
stevek@eurekapayments.com
Reply With Quote
  #10  
Old 03-14-2013, 10:21 PM
Jason95357 Jason95357 is offline
Senior Member
 
Join Date: Feb 2013
Posts: 1,093
iTrader: 5 / 100%
Default

True regarding staff training - our staff are trained we are not allowed to handle credit card data in any fashion, period.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -8. The time now is 3:07 AM.




Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2016, vBulletin Solutions, Inc.
Proudly hosted by GeoVario the Premier 2A host.
Calguns.net, the 'Calguns' name and all associated variants and logos are ® Trademark and © Copyright 2002-2016, Calguns.net an Incorporated Company All Rights Reserved.