Foxy Forum Status

We're no longer responding to questions via our forum, but we will keep it up for historical reasons. If you can't find the answer you're looking for, please visit our knowledge base or contact us. If there's enough interest in the future, we may bring the forum back.

If your Merchant Account Provider requires a PCI Scan...

brettbrett FoxyCart Team
in Important News edited June 2009
Hello FoxyCart users.
If you know that your merchant account provider will require a PCI scan, please LET US KNOW. PCI security scans are high intensity, somewhat intrusive, and by and large appear like any other malicious script kiddie or zombie'd computer doing a port scan.

Because of this, we will block access to the offending IP address, and you will (likely) FAIL your PCI compliance scan. What happens then is up to your merchant account provider, but they'll likely let you know, you'll freak out and think FoxyCart is not PCI DSS compliant, and it'll be a big headache for everybody.

Instead of this drama, just let us know if your merchant account requires proof of PCI compliance (or, alternately, if they insist on scanning you). We will chat with all involved parties, and avoid headaches.

Again...
If we detect a port scan, our own security policies and systems will deny access to the host doing the scanning. This is a basic security "best practice". We cannot and will not allow this behavior from parties whom we are not familiar with, or with whom we have no contract. FoxyCart already has (two, separate) PCI scanning services. They require special rules and exceptions to be added to our existing security measures, and any exceptions are not taken lightly.

So, again, if somebody asks about doing a security scan, please let us know.

Feel free to ask any questions below. Otherwise, just let us know and we'll all avoid headaches.
Comments
  • brettbrett FoxyCart Team
    In response to a whispered question:
    what on a PCI scan fails by being blocked?
    The issue is that a PCI scan needs to actually scan, so if it can't scan (because the IP has been firewalled off) then it can't say, "Yup, everything's fine."

    So it's not so much that it finds evidence of PCI non-compliance, but that it's not able to collect evidence of compliance in the first place.

    Does that help?
Sign In or Register to comment.