Re: [IUG] Ecommerce Not Complying with PCI Scan?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Date: Tue, 3 Feb 2009 12:17:04 -0700
From: "Fifarek, Aimee" <afifarek at scottsdaleaz dot gov>
Subject: Re: [IUG] Ecommerce Not Complying with PCI Scan?

Hi Aaron - Scottsdale has been working in PCI-DSS funland for some time
now, even though we have not yet deployed ecommerce. The City of
Scottsdale gets regular reports of vulnerabilities on in-network
servers, which include our production, training and encore servers.

To date, the biggest vulnerability we have encountered has been a cross
site scripting error - meaning someone could input text with <script>
tags into the OPAC interface. (we are using the 2007 screens set, but
not the most recent version.) Innovative was able to put in a fix to
strip out the angle brackets therefore rendering the script innocuous.
This has not gotten rid of the error, merely took it down from high to
medium vulnerability which we feel we can justify in writing. Other
errors, like predictable cookie id sessions and findable directories,
rank as low or informational and so we don't think we need to address
them.

Of course, each time we get a security scan there seems to be a new
revelation - something that has been there in previous scans is now
suddenly a vulnerability. So I wait in awe and terror of the next
revelation.

-- Aimee

Aimee Fifarek
Scottsdale Public Library
480-312-7060

-----Original Message-----
From: innopac-bounces at innopacusers dot org
[mailto:innopac-bounces at innopacusers dot org] On Behalf Of Skog, Aaron
Sent: Tuesday, February 03, 2009 11:47 AM
To: innopac at innopacusers dot org
Subject: [IUG] Ecommerce Not Complying with PCI Scan?

Hi Innovative Land,

If you have Ecommerce running for your system then you probably should
be aware of the PCI (Payment Card Industry) Data Security Standard. The
merchant you work with for credit card transactions will require your
ILS server to be scanned for security compliance. The scan will check
your server for open ports, vulnerabilities and its footprint.

Are any of you working on complying with the PCI security scan? Have
you contacted Innovative support for assistance?

Regards,
Aaron Skog

Director of SWAN Services
630-734-5122
skoga at mls dot lib dot il dot us

--- StripMime Report -- processed MIME parts ---
multipart/alternative
text/plain (text body -- kept)
text/html
---
--
This message was distributed through the Innovative Users Group INNOPAC
list
Public replies: INNOPAC at innopacusers dot org
Update your subscription options:
http://innopacusers.org/mailman/listinfo/innopac

Follow-Ups:
- Re: [IUG] Ecommerce Not Complying with PCI Scan?
  - From: Hemphill, Lee

References:
- [IUG] Ecommerce Not Complying with PCI Scan?
  - From: Skog, Aaron

Prev by Date: [IUG] Ecommerce Not Complying with PCI Scan?
Next by Date: Re: [IUG] Millennium Cataloging Cut and Paste options disappearing?
Previous by thread: [IUG] Ecommerce Not Complying with PCI Scan?
Next by thread: Re: [IUG] Ecommerce Not Complying with PCI Scan?
Index(es):
- Date
- Thread