PCI compliance scan fail



  • First and foremost, I am an IT intern, Still super new and trying to impress my boss.

    I have a site that failed a PCI compliance scan in the past, after we did our fix last time (according to my team: they reset the firewall configuration and took the firewall back to the site. )

    The site then again failed the Scan again just a few days ago. We think they may have another computer hooked up on the firewall that is causing a problem.
    We provide a back office server along with Point of Sale terminals for the front of house.

    What steps can I take to fix ?

    They are failing at :
    -Basic Authentication over HTTP
    -Web page Transmits login credentials without encryption

    Any input would be appreciated.



  • You have something answering on port 80 turn it off



  • @jaredbusch said in PCI compliance scan fail:

    You have something answering on port 80 turn it off

    Just to expand on this a bit, you're going to want to make sure that port 80 is blocked on the firewall. Most firewalls open by exception, so that means that port 80 has been specifically opened. Or the firewall is a terrible one and is itself allowing access to it on port 80.



  • @kelly @JaredBusch
    Thank you



  • @jaredbusch said in PCI compliance scan fail:

    You have something answering on port 80 turn it off

    It's literally that simple. Both turn off whatever is talking on 80, and block 80 on the firewall, too.


Log in to reply