Hi, we tried an exemption for this but got denied.
We Tried:
“These cookies are not related to session management and unrelated to the security of cardholder data.”
As False Positive
Synopsis
HTTP session cookies might be transmitted in cleartext.
Reason for Denial:
Session cookies without the ‘Secure’ flag set are a violation of PCI DSS Requirement 6.5.10. As an Approved Scanning Vendor, we are required to mark any such detection as an automatic failure.
If the cookie(s) detected during the scanning process do not control a user’s session, then an exception request may be submitted with documentation attesting to the use of the cookie(s) detected (e.g., third-party tracking cookies used for market analysis). However, if the cookie(s) detected during the scanning process control a user’s session, then the ‘Secure’ flag will need to be applied to the cookie(s) and a rescan performed to demonstrate the change.
For this particular finding, the use-case for the detected cookies missing the ‘secure’ flag (listed in the Output section of the Details tab) must be included in any attestation notes.
Hi jaykappa!
Thanks for the update! Do you mind sharing which ASV company you are using? We are working with all of them to help them eliminate these annoying false positives.
As for your finding, I am not sure why they would turn down your request to mark it as a false positive when your request seems perfectly aligned with their guidance:
“If the cookie(s) detected during the scanning process do not control a user’s session, then an exception request may be submitted with documentation attesting to the use of the cookie(s) detected (e.g., third-party tracking cookies used for market analysis).”
The OUTPUT section of the finding appears to be cutoff in your message.
Can you please post that (and any other missing info about the finding)?
Hopefully the cookie name that they don’t like is there.
Thanks,
Shawn.
Thank you,
The company doing the scan is: sikichlabs.com
I had another thread open too about 3 more issues that we don’t know how to answer:
https://community.shopify.com/c/Technical-Q-A/PCI-Scan-Vulnerability-Script-Src-Integrity-Check-amp-Cross-Site/m-p/1301758
The output was quite long, here’s what it was:
We’re also open to using a new scanning company, if there’s a recommendation for vendor Shopify works better with?
Feel free to direct message if not appropriate to post a third party.
1 Like
Hi jaykappa!
We are working on this. I have pulled all of your posts together and preparing info. I expect resolution shortly. If we don’t get it done by end of day, have a great weekend and we will pick it up Tuesday after the long weekend.
Shawn.
1 Like
Hi jaykappa!
please find attached a table indicating the PCI scope information of all cookies identified above.
Hopefully your ASV will accept this as evidence of the false positive finding in your report! Good luck!
Shawn
| Cookie |
Issuer |
PCI Scope? |
Usage |
| cart_currency |
Shopify |
No. Cookie is not used for session management or security. Cookie can not impact the security of cardholder data and is out of scope of the PCI DSS compliant environment. |
Used after a checkout is completed to initialize a new empty cart with the same currency as the one just used. https://www.shopify.ca/legal/cookies |
| _y |
Shopify |
No. Cookie is not used for session management or security. Cookie can not impact the security of cardholder data and is out of scope of the PCI DSS compliant environment. |
Shopify analytics. https://www.shopify.ca/legal/cookies |
| _landing page |
Shopify |
No. Cookie is not used for session management or security. Cookie can not impact the security of cardholder data and is out of scope of the PCI DSS compliant environment. |
Track landing pages. https://www.shopify.ca/legal/cookies |
| _orig_referrer |
Shopify |
No. Cookie is not used for session management or security. Cookie can not impact the security of cardholder data and is out of scope of the PCI DSS compliant environment. |
Allows Shopify to identify where people are visiting them from. https://www.shopify.ca/legal/cookies |
| cart_sig |
Shopify |
No. Cookie is not used for session management or security. Cookie can not impact the security of cardholder data and is out of scope of the PCI DSS compliant environment. |
Cart analytics https://www.shopify.ca/legal/cookies |
| _shopify_evids |
Shopify |
No. Cookie is not used for session management or security. Cookie can not impact the security of cardholder data and is out of scope of the PCI DSS compliant environment. |
server-side generated event IDs used for enhancing client-side calls to tracking pixels. |
| cart_ver |
Shopify |
No. Cookie is not used for session management or security. Cookie can not impact the security of cardholder data and is out of scope of the PCI DSS compliant environment. |
Tracks cart updates https://www.shopify.ca/legal/cookies |
| cart |
Shopify |
No. Cookie is not used for session management or security. Cookie can not impact the security of cardholder data and is out of scope of the PCI DSS compliant environment. |
Cart management https://www.shopify.ca/legal/cookies |
| _shopify_y |
Shopify |
No. Cookie is not used for session management or security. Cookie can not impact the security of cardholder data and is out of scope of the PCI DSS compliant environment. |
Shopify analytics. https://www.shopify.ca/legal/cookies |
| _shopify_s |
Shopify |
No. Cookie is not used for session management or security. Cookie can not impact the security of cardholder data and is out of scope of the PCI DSS compliant environment. |
Shopify analytics. https://www.shopify.ca/legal/cookies |
| _s |
Shopify |
No. Cookie is not used for session management or security. Cookie can not impact the security of cardholder data and is out of scope of the PCI DSS compliant environment. |
Shopify analytics. https://www.shopify.ca/legal/cookies |
| cart_ts |
Shopify |
No. Cookie is not used for session management or security. Cookie can not impact the security of cardholder data and is out of scope of the PCI DSS compliant environment. |
Cart management https://www.shopify.ca/legal/cookies |
