snake Posted March 31, 2015 Share Posted March 31, 2015 We have just done our latest PCI/DSS scan and it has failed dismally due to so many vulnerabilities in PHP 5.4 The solution in every case seems to be that we need to be running php 5.6 to pass the scan, or back port patches to 5.4 WHMCS doesn't support anything above PHP 5.4.x, so it seems that is not an option, and I know from experience that WHMCS staff will refuse to provide any support if you are running anything except a bog standard installation, and insist that you revert everything back to standard first with no hooks or addons. So backporting php patches doesn't seem like an option either. How are others dealing with this issue ? 0 Quote Link to comment Share on other sites More sharing options...
SeanP Posted March 31, 2015 Share Posted March 31, 2015 I think most use tokenisation gateways where the credit card information is stored with the bank, not in your local database. This means the PCI compliance is not your responsibility, as you are not storing the credit cards in your database or having them pass across your network. There are several tokenisation gateways to choose from: http://docs.whmcs.com/Payment_Gateways#Tokenisation_Gateways 0 Quote Link to comment Share on other sites More sharing options...
snake Posted March 31, 2015 Author Share Posted March 31, 2015 I think most use tokenisation gateways where the credit card information is stored with the bank, not in your local database. This means the PCI compliance is not your responsibility, as you are not storing the credit cards in your database or having them pass across your network. There are several tokenisation gateways to choose from: http://docs.whmcs.com/Payment_Gateways#Tokenisation_Gateways we do this as well, we use sagepay tokens, but this does not change anything because the customers still enter the card details initially on your whmcs site, so the full SAQ3 PCI compliance is still required. The only way to avoid that is if the card details are NEVER EVER entered on your site or stored in your DB. So you would have to redirect to the payment gateway to even enter the initial card details and get the token. I have already contacted WHMCS support, and this is not possible. So it seems there is no way for any WHMCS install to actually be PCI compliant currently unless you do not take cards. 0 Quote Link to comment Share on other sites More sharing options...
SeanP Posted April 1, 2015 Share Posted April 1, 2015 (edited) we do this as well, we use sagepay tokens, but this does not change anything because the customers still enter the card details initially on your whmcs site, so the full SAQ3 PCI compliance is still required.The only way to avoid that is if the card details are NEVER EVER entered on your site or stored in your DB. So you would have to redirect to the payment gateway to even enter the initial card details and get the token. I have already contacted WHMCS support, and this is not possible. So it seems there is no way for any WHMCS install to actually be PCI compliant currently unless you do not take cards. I'm not sure about sagepay, but Quantum Vault uses remote iframes for credit card information. The contents of the iframes are running on the bank's servers. So, the credit card information never passes across your network or your server. The use of the iframes makes the credit card information appear to be on your site. So, you get the look of it being local to your site, but it puts the PCI compliance responsibility on the bank. http://docs.whmcs.com/Quantum_Vault Edited April 1, 2015 by SeanP 0 Quote Link to comment Share on other sites More sharing options...
snake Posted April 3, 2015 Author Share Posted April 3, 2015 I'm not sure about sagepay, but Quantum Vault uses remote iframes for credit card information. The contents of the iframes are running on the bank's servers. So, the credit card information never passes across your network or your server. The use of the iframes makes the credit card information appear to be on your site. So, you get the look of it being local to your site, but it puts the PCI compliance responsibility on the bank. http://docs.whmcs.com/Quantum_Vault this is not possible with sagepay according to WHMCS support. 0 Quote Link to comment Share on other sites More sharing options...
SeanP Posted April 3, 2015 Share Posted April 3, 2015 I think Quantum might be one of the only ones doing it this way. CDGcommerce about Quantum: http://www.cdgcommerce.com/instantpci.php WHMCS Quantum Vault Announcement: http://forum.whmcs.com/showthread.php?25451-Introducing-Quantum-Gateway-Vault-for-WHMCS Quantum Developer API (the WHMCS Quantum Vault gateway uses the In Line Frames API): http://www.quantumgateway.com/developer.php 0 Quote Link to comment Share on other sites More sharing options...
snake Posted April 3, 2015 Author Share Posted April 3, 2015 oh you certainly can do it with most of them, including sagepay as I have done it myself, its just that the WHMCS gateways don't do it. So i'm really not sure how they can state that WHMCS is pci compliant, when clearly it cannot pass a PCI scan. 0 Quote Link to comment Share on other sites More sharing options...
SeanP Posted April 3, 2015 Share Posted April 3, 2015 Is it mainly the PHP version issue, that is holding you back? Check out this post: http://forum.whmcs.com/showthread.php?82903-WHMCS-is-not-working-with-PHP-5-5-x-and-ionCube-4-5-0&p=402838#post402838 0 Quote Link to comment Share on other sites More sharing options...
snake Posted April 4, 2015 Author Share Posted April 4, 2015 yes that is the cause of the PCI fail. thanks for the link, I will give that a try, BTW I did a scan against whmcs.com and they have 26 vulnerabilities on their own site and would likely fail a PCI scan. 0 Quote Link to comment Share on other sites More sharing options...
SeanP Posted April 8, 2015 Share Posted April 8, 2015 Would upgrading to the latest in the PHP 5.4.x series (5.4.39, I believe), allow you to pass PCI? Does it require 5.5.x for successful compliance? 0 Quote Link to comment Share on other sites More sharing options...
snake Posted April 8, 2015 Author Share Posted April 8, 2015 All the fails in my PCI scan were due to vulnerabilities in 5.4.x and 5.5.x and in many cases said that an upgrade to 5.6.x was required I have WHMCS working with PHP 5.6 now by upgrading IONCUBE I also removed the server header that identified the PHP version, which will stop attackers from knowing what version you are running and then targeting you. 0 Quote Link to comment Share on other sites More sharing options...
SeanP Posted April 8, 2015 Share Posted April 8, 2015 Apparently WHMCS will not support you on anything beyond 5.4.x. That was the reason I was wondering if you could upgrade to the latest 5.4.x version and still pass the scan. If that isn't a possibility, I'm not sure what they expect everyone to do who wants to be PCI compliant. 0 Quote Link to comment Share on other sites More sharing options...
snake Posted April 8, 2015 Author Share Posted April 8, 2015 yes they do make everything very difficult. Like the fact that they do not support the user of any 3rd party addons and hooks so you have to disable them all when asking for support. 0 Quote Link to comment Share on other sites More sharing options...
SeanP Posted April 9, 2015 Share Posted April 9, 2015 I have a dev environment that I typically just give them access to whenever I need support. I don't give access to my prod environment to anyone outside my company. I make sure the issue can be reproduced in dev, and supply them access to it for support. 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.