PeopleVine

Ensuring Your Are PCI Compliant

If you are enabling payments within PeopleVine you will need to become PCI compliant with your payment processor.  They will setup a monthly scanning to ensure you achieve this status. 

When they scan, you may fail due TLS v1.0 Supported, which is something that is fairly common these days.  This is because most web servers and SSL certificates must work with older browsers.  According to PCI 3.1 guidelines, you are able to get an exception until June 30th of 2018.  To apply for that exception, please follow these steps: (please note these directions may be different depending on who is scanning your web site).

  1. Login to the PCI Compliancy portal 
  2. Click on Documents and upload a word document on your company's letter head with the following letter (below).  Call the document PCI Compliancy Risk Plan.
  3. Then click on Scanning and then Scan Results to see your last results
  4. Select the TLSv1.0 Supported vulnerabilities and click on Dispute Finding
  5. Select I am disputing this finding for another reason.
  6. Mention that you have uploaded your PCI Compliancy Risk Plan.
Dear Sir or Madam:
Please accept this as the Risk Mitigation and Migration Plan for PCI DSS 3.1 for . 

A description of where and how we are currently using SSL and/or early versions of TLS, how we intend to mitigate the risks with these technologies, and our migration plan are listed below. 

1.	Where are SSL/TLS 1.0 currently used in your environment?

We are not aware of any pages in our platform that is using TLS 1.0.  All of our transactional pages in our platform and user authentication are being routed through our https version which uses a Go Daddy SSL Certificate and TLS 1.2.

2.	How are you mitigating risks with SSL/TLS 1.0?

We have ensured that our SSL certificate and server settings in Microsoft Azure are using the latest SSL/TLS protocols.  As you can see in our SSL certificate settings, the connection uses TLS 1.2.
 
3.	How are you monitoring for new vulnerabilities associated with SSL/TLS 1.0? 

We receive alerts when our platform is penetrated via Azure Monitoring.

4.	How are you ensuring that SSL/TLS 1.0 are not introduced into your cardholder data environment? (Meaning, how can you verify that new or upgraded systems connected to your cardholder data environment don’t contain SSL/TLS 1.0?)

We have complete control over the software and what is integrated into our software.

5.	When will your migration plan from SSL/TLS1.0 be completed? 

We are dependent on Microsoft Azure removing this from their environment.  In the event they don’t remove it for Azure Apps by 2018 we do have the ability to migrate to virtual machines. 

Sincerely,







Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.