Why is my payment processor failing PCI compliance?

Technical Q&A
1

Payment processor is robbing me of $50 every month because their PCI compliance scan fails for my shopify store…

they say my website doesnt have “Strict Transport Security” enabled in my X-frame? Server is not support HSTS.

any help? i spoke with them and they said shopify had to help me fix it…but you cant contact shopify support so…

what a racket

2

Hi H2osiah!

It sounds like they are running an ASV scan against your store. Depending on the ASV company they use, the results are always different.

If the scan fails because of not enforcing Strict Transport Security on the following TCP ports:

  • 2052/tcp
  • 2053/tcp
  • 2082/tcp
  • 2083/tcp
  • 2086/tcp
  • 2087/tcp
  • 2095/tcp
  • 2096/tcp
  • 8080/tcp
  • 8443/tcp
  • 8880/tcp

You should report this to them as a FALSE POSITIVE finding. All ASV companies have a process for reporting false positives (some call it findings dispute). You will need to include an explanation too. This should be:

These ports are not in scope. These ports are unused and terminated at Cloudflare where the offending content is found. These ports are not related to the storage, processing, or transmission of cardholder data.

Good Luck!