PCI DSS Scanning fails with cloudflare...?

Hi!

Our company need to make PCI DSS scanning each 3 month. We are PCI DSS Level 2-4. Hackerguardian.com (comodo) is our AVS. After configuring to use Cloudflare we’ve failed our scan with following fails (listed below). Please, help us. What we can/must to do to get scanning ok…?

List of fails.

  1. SSL Medium Strength Cipher Suites Supported 2083 / tcp / www
  2. SSL 64-bit Block Size Cipher Suites Supported (SWEET32) 2083 / tcp / www
    CVE-2016-2183, CVE-2016-6329
  3. TLS Version 1.0 Protocol Detection 2053 / tcp / www (as automatic fail, but we’ve set Minimum TLS Version to 1.1???)

What to do with others…? Help us to solve a problem please. Thanks.

Your domain does not seem to be on Cloudflare in the first place. Its nameservers point to Comodo.

sandro, it’s not my domain. I’ve just pointed who is our AVS scanner. It’s named Hackerguardian (thay a part of comodo company)… We have few different domains. It’s not a problem with our domains. Our domains and sites configured well for PCI DSS compilance, but when we are turning on Cloudflare for them, and AVS scanning is go, we are getting fails as I’ve listed above…

I am not all too familiar with PCI compliance but Cloudflare seems to guarantee compliance only from a business plan level onwards - https://www.cloudflare.com/plans/#compare-features

It’s a different thing. By your link you are suggest to make Cloudflare service our complete service, including AVS scanning and PCI DSS compilance. But we already have service who is our PCI DSS partner, problem is when they are making AVS scanning, they are detect fails on CF servers. For a while I’ve found CF information regarding SWEET32, they suggest to report AVS service this fail as ‘false positive’ and give them link to article about it on CF site. But how to be with two others…?

I am not sure what you mean by that. I didnt suggest either. But if you are tunnelling your traffic through Cloudflare (which I assume you do) your Cloudflare account should be presumably PCI compliant as well, right? In that case you might have to upgrade to a business account.

[quote=“sandro, post:6, topic:41694”]if you are tunnelling your traffic through Cloudflare (which I assume you do) your Cloudflare account should be presumably PCI compliant as well, right? In that case you might have to upgrade to a business account.
[/quote]
Yes. I am tunnelling, I understand you idea to upgrade to business. But, mainly, PCI DSS it’s a question of merchant server (apache versions, php e.t.c.), we are using CF only to hide real IPs and prevent direct scans of our server. Why AVS is fails? We are on Pro plan, and I just trying to find out, why this vulnerabilities present on CF and if I can disable it…
Only this question is worring. And I am not sure that even Business plan will help with it.

Well, if PCI compliance involves the encryption layer too you’ll certainly have to take into consideration all involved components as well and Cloudflare (as a proxy) is naturally involved here. It might be best to discuss this with Cloudflare’s support.

I [quote=“sandro, post:8, topic:41694”]
Well, if PCI compliance involves the encryption layer too you’ll certainly have to take into consideration all involved components as well and Cloudflare (as a proxy) is naturally involved here. It might be best to discuss this with Cloudflare’s support.
[/quote]
Yes. Probably you are right. Actualy I am trying to contact with AVS support team to discuss this question, well see what they will tell us. I am sure, someone else also using CF and their together…
sandro, Thank you for your attention any way!

This topic was automatically closed after 30 days. New replies are no longer allowed.