Jump to content

McAfee PCI Service


sgrayban

Recommended Posts

I would like to point a big big issue here about the McAfee PCI testing that is being offered by WHMCS for $99 a year.

 

According the list of Qualified Security Assessor’s that are approved by Visa and MasterCard McAfee is NOT qualified.

 

If you use them you are wasting your money as no merchant or processing gateway will accept any certification from McAfee.

 

I found this out the hard way :( McAfee refunded my money for not disclosing this.

 

The list of Qualified Security Assessor’s that are approved by Visa and MasterCard can be found at..

 

http://usa.visa.com/merchants/risk_management/cisp.html

 

Choose option Service Providers

 

Option Qualified Security Assessor List under the heading “Top Downloads”

Edited by sgrayban
Link to comment
Share on other sites

From: http://www.mcafeesecure.com/help/complianceFaq.jsp

If McAfee is going to prepare my company's Visa PCI Compliance Report, why isn't McAfee on the PCI SSC Qualified Security Assessor List?

 

Most merchants do not require the services of a Qualified Security Assessor (QSA), or Visa CISP Assessor. Most merchants can be certified compliant by completing a self-assessment and successfully completing network scans conducted by an Approved Scan Vendor such as McAfee. For companies that want or need the specialized services of a QSA, McAfee provides PCI certified QSA compliance through its Foundstone services.

 

For merchants transacting more than 6 million credit card purchases per year, and all levels of payment processors, McAfee will provide a quote for an on-site CISP Level 1 Compliance Assessment utilizing its Foundstone Consulting services.

Link to comment
Share on other sites

We use PayPal Payments pro. I don’t think we would have any problem with the PCI compliance as PayPal recommends McAfee (ScanAlert) aswell.

 

From: https://www.paypal.com/pcicompliance

PayPal has partnered with ScanAlert, a Visa and MasterCard-certified PCI vendor, to help our customers comply at no cost for the first year. Enroll online with ScanAlert at: https://www.scanalert.com/SignUp.sa?oc=9673.
Link to comment
Share on other sites

Not entirely true... they scan all ports and if any are open and not secure like ftp, pop, imap or wrong SSL cert which they do check for if the scan detects a login form and you fail any of those you fail PCI.

 

I am aware of that and we are already PCI compliant.

Link to comment
Share on other sites

This will become a huge shock to some people that have been paying for the McAfee services for years. However, IMHO I wouldn't say that you have to use a certain provider to search/secure your network. I'm not too clever when it comes to PCI but I'm guessing as long as your network is secure and monitored by a PCI provider, then surely it's secure enough. They all do the same job...

 

If I've not made any sense or I don't have a clue what I'm talking about, disregard :)

Link to comment
Share on other sites

As quoted from http://www.mcafeesecure.com/us/pci-intro.jsp

 

Doesn't this mean they are lying?

 

It's a white lie. They are approved through the PCI Security Standards Council but not through Visa/MC as an approved QSA vendor. That means you can get PCI scanning done through McAfee but Visa/MC does not recognize it as valid. McAfee has to go through a process to get aprroved which they have not done.

 

Service provider registration

 

Service providers must be registered with Visa prior to inclusion on the list of PCI DSS-compliant service providers. For more information about the registration process, review Third Party Agent (TPA) frequently asked questions (FAQs) . For specific questions not covered in the FAQs, contact Visa via email at AgentRegistration@Visa.com.

Link to comment
Share on other sites

What's worse is that WHMCS is promoting this and most likely making money from it and that is down right dishonest. I am sure he has read this post and has looked at the proof but he has not updated his info page nor has he disclosed this information either.

 

I filed a complaint with Visa and letting them know that vital information is being withheld about McAfee Secure. It's called deceptive advertising and it's illegal(felony) in the U.S. and Canada.

 

WHMCS can I ask why you are doing this ? Is there a reason or you simply do not care that people you send there are being mislead intentionally by McAfee ? You aren't making any creditable points here using tactics like this to generate a cash flow.

 

I wonder if this thread will get deleted ?? I certainly do not want any moderators or friends of Matt posting and trying to defend him on this.

Link to comment
Share on other sites

  • WHMCS CEO

This is the first I've heard of them not being accepted by Visa/Mastercard.

 

If McAfee has mislead you then they've done the same to us - their site & sales people give every indication that their PCI Compliance service is all that's needed to obtain & pass PCI compliance requirements.

 

In addition, PayPal themselves recommend exactly the same service as we do through McAfee for PCI Compliance of all their merchants which would indicate it is a worthwhile valid service.

 

Obviously we do care and will be checking into this further but as the quote by somebody else earlier in the thread indicated (http://www.mcafeesecure.com/help/complianceFaq.jsp), McAfee seems to suggest it shouldn't be a problem for smaller merchants so we'll see what they have to say on the matter and then update the thread. Thank you for bringing it to our attention.

 

Matt

Link to comment
Share on other sites

@sgrayban - Certainly a frustrating situation. I can imagine how upset you are. If I understand your post correctly. You filed a complaint charging WHMCS with withholding information concerning McAfee? Had you talked with Matt or WHMCS staff prior?

 

Understand the frustrations but seems Matt is in the same boat as you. You've made personal assumptions and presumptions about Matt and WHMCS public. Give them a chance to sort things out before you paint them as being dishonest.

 

Of course maybe I just miss-understood this entire thread and have my head up my a@@. If that's the case just ignore me. It's only my humble thoughts ....

 

-Roger

Link to comment
Share on other sites

This how my merchant provider explained this.

 

McAfee is approved through the PCI Security Standards Council but not through Visa/MC as an approved QSA vendor.

 

That means you can get PCI scanning done through McAfee but Visa/MC does not recognize it as valid. McAfee has to go through a process to get approved which they have not done.

 

Merchants can *elect* to accept McAfee PCI but if anything goes wrong and data is stolen there is no re-course for the merchant provider or the business. That means you can't hold Visa/MC accountable for a PCI scanning that should have detected a vulnerability.

 

Thus mainstream merchant providers will not accept McAfee because of that liability.

 

So if PayPal accepts McAfee and something goes wrong there is nothing you or them can do except eat the loss and start over.

Link to comment
Share on other sites

No I filed a complaint with Visa about McAfee not disclosing they aren't a approved QSA vendor.

 

It is you that made the assumption and claim instead of asking.

Friend I am not attacking you. Just suggesting you take a moment to breathe and slow down a bit. I made no claims or assumptions.

 

As I said merely my humble thoughts...

Link to comment
Share on other sites

@sgrayban - Certainly a frustrating situation. I can imagine how upset you are. If I understand your post correctly. You filed a complaint charging WHMCS with withholding information concerning McAfee? Had you talked with Matt or WHMCS staff prior?

 

That isn't a question. You assumed that and questioned if I had talked to Matt or staff.

 

The proper question would have been... "Who did you file the complaint against ?"

 

So yes I got offended.

Link to comment
Share on other sites

We recommend to our clients not to go near McAffee as their pci scan detects our Plesk Windows 2008 servers as running an insecure version of Apache 2.0.x and php4

 

Not bad given we only run IIs7 and php5 and there is no legacy code and we run plesk itself on iis7 and not on apache (which is an option)

 

we have even seen one of their reports identify itself as a pci compliance failure...LOL

Link to comment
Share on other sites

  • WHMCS CEO

sgrayban, McAfee's response to this thread has been as follows:

 

That is completely false. McAfee is on the list for Approved Scanning Vendors. If a level one scanning (QSA - scanning required to have an onsite audit by a certified security professional) is needed, McAfee has a division, or partner, we use called Foundstone: http://www.foundstone.com/us/index.asp.

 

However, if you fall within the levels 2-4 merchants category, then upon completion of the PCI Compliance service which is offered through WHMCS at the discounted rate of $99/year, you are issued a Certification of Compliance accepted by all credit card companies and all banks worldwide. There are no additional services needed, and no additional fees.

 

This can be verified on the official Approved Scanning Vendors list @ https://www.pcisecuritystandards.org/pdfs/asv_report.html

 

Yes, we know that we are not an approved QSA vender. That's why we have partnered with Foundstone.

Our (McAfeeSecure PCI) scans do perimeter scans only. As an ASV we are only required to do perimeter scans.

If penetration scans are needed, which are usually really big merchants, then we can refer them to our Foundstone group that can do that for them.

 

To become PCI compliant, it is NOT necessary to have a penetration scan done.

 

I think this customer is not understanding the difference between the two. From my understanding, he was on the phone with our customer support yesterday for quite some time trying to explain the same thing to him.

 

Also, why would VISA partner with McAfee if they did not approve of our scans? http://www.mcafeesecure.com/us/partners-intro.jsp

 

We hope that resolves any concerns.

 

I think if you have any further issues with McAfee's services you need to take it up with them directly as McAfee are insisting their service is as advertised.

Link to comment
Share on other sites

All - to make things a bit more clear; the PCI Security Standards Council (formed by the card brands) has established the PCI-DSS and related requirements for scanning and auditing. Currently some (not all) processors are requiring more than just an SAQ and/or reports from an Authorized Scanning Vendor such as McAfee. In the situations where a more complete certification is being required, a Qualified Security Assessor such as those found on the VISA or MasterCard web sites or at the PCI Security Standards Council web site must be used. Our company is an ISO partnered with Global Payments. Currently Global is requiring Site Certification (by QSA) of all merchants regardless of size and volume.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated