Failing PCI Compliance Audit

busypuffin · June 5, 2025, 2:11pm

What is the name of the domain?

elaweb

What is the issue you’re encountering

Recent vulnerability scan has failed

What steps have you taken to resolve the issue?

We have recently setup a cloudflare Pro account and it’s working great to regulate traffic to the site.

However, we are required to have a regular PCI compliance audit. Part of this is an automatic scan by Security Metrics. The most recent vulnerability scan has failed with the error:

TCP/IP Predictable ISN (Initial Sequence Number) Generation Weakness

It is possible to predict TCP/IP Initial Sequence Numbers for the remote host.

The remote host has predictable TCP sequence numbers. An attacker may use this flaw to establish spoofed TCP connections to this host.

Does anyone know how I can resolve this issue? I have searched forums and support documentation.

If I pause the cloudflare service, there are no problems reported and the scan passes.

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full (strict)

cscharff · June 5, 2025, 3:01pm

I’d recommend getting underlying evidence of the vulnerability from the vendor and then either posting here or opening a support ticket.

system · June 20, 2025, 3:02pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Assistance Required for PCI Compliance Issue – TCP Source Port Pass Firewall SSL / TLS ssl	2	155	March 12, 2025
PCI DSS Scanning fails with cloudflare...? SSL / TLS dns , dash-ssl-tls	9	4997	November 28, 2018
PCI Scan Passed ...however SSL / TLS	2	2165	April 22, 2020
Cloudflare SSL and PCI scan SSL / TLS ssl , dash-ssl-tls	5	2598	May 16, 2018
How to solve pci compliant on cloudfare SSL / TLS	16	13459	August 5, 2022