Re: TCP Source Port Pass Firewall PCI DSS fails

TCP Source Port Pass Firewall PCI DSS fails

nandufhsol
Visitor
1 0 2

The host responded 4 times to 4 TCP SYN probes sent to destination port 24567 using source port 53. However, it did not respond at all to 4 TCP SYN probes sent to the same destination port using a random source port.

Replies 10 (10)

Jason
Shopify Partner
11196 226 2287

Not sure what your question is but if this is your running some security scan I would be making the assumption this is a false positive from it scanning the top layer of the edge-network. If you believe it's not the case then contact the do contact support team as they'll have a process to handle these kind of comments/requests. 

★ I jump on these forums in my free time to help and share some insights. Not looking to be hired, and not looking for work. http://freakdesign.com.au ★

krichard
Visitor
1 0 0

We have the same PCI scan failure. Did support send any documents to attest it's secure?

soaponify
Visitor
2 0 1

Same scan failure here too.  I contacted support.  It's been a couple of weeks.  All they've supplied so far is an overview of compliance but no specific verbiage for a false positive yet.  I'm about to contact them a fourth time to see if I can get specific wording to address the scan failure.

mrmoxey
Shopify Partner
3 0 2

did you get a reply?

soaponify
Visitor
2 0 1
Negative. I threw myself on the mercy of the ASV and said shopify wouldn't
give me a direct answer to the specific failure and kept saying "we're PCI
compliant".

I didn't have much of a choice.

Luckily, the ASV accepted my pitch. YMMV.
mrmoxey
Shopify Partner
3 0 2

did you manage to solve this? i hit the same issue

 

bmg_zone
Tourist
7 0 1

Just ran it and got the exact same fail. 
Going to reply with this post 

bmg_zone
Tourist
7 0 1

They replied with 

Jul 18, 2023Can your organization confirm that port 53 traffic is indeed fully blocked from the outside of this firewall?

ASV

 

bmg_zone
Tourist
7 0 1

So Secure Trust told me to: 

Please contact support for assistance.

 

I have put in a ticket with Shopify support and will let you know

 

bmg_zone
Tourist
7 0 1

Here is Shopify Supports reply:

"Thanks for getting in touch with Shopify Plus support, Mike here. I understand you've got some questions around PCI Compliance as well as cc'ing someone to an email thread with us. I'd be glad to help.

 
To address your last question first, feel free to CC anyone else you'd like to include in this email thread, just as you normally would.
 
Firstly, we want to assure you that Shopify is PCI-compliant. However, it's not uncommon for certain third-party scanning software to sometimes give false positives. To help you with your compliance, we can provide you with copies of our PCI compliance report, which clearly outline what might trigger these false positives.
 
Rest assured that Shopify conducts ASV scans on a quarterly basis. You can easily download Shopify's Service Provider PCI DSS Attestation of Compliance (AOC) from the Compliance Reports section on the Shopify Help Center. This AOC serves as evidence of Shopify's PCI DSS compliance, which can be used as part of your own PCI DSS compliance assessment.
 
Please note that the AOC document remains valid for one year after the QSA signature date mentioned at the end of the document. Additionally, Shopify undergoes annual assessments and updates the AOC after each assessment.
 
To provide further clarity, I have attached Shopify's PCI Payment Card Industry Data Security Standard (PCI DSS) responsibility matrix. This matrix clearly outlines the specific PCI DSS requirements that Shopify takes responsibility for, as well as the responsibilities that lie with the merchant."