Re: [IUG] Ecommerce Not Complying with PCI Scan?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Hi Aaron - Scottsdale has been working in PCI-DSS funland for some time
now, even though we have not yet deployed ecommerce. The City of
Scottsdale gets regular reports of vulnerabilities on in-network
servers, which include our production, training and encore servers.
To date, the biggest vulnerability we have encountered has been a cross
site scripting error - meaning someone could input text with <script>
tags into the OPAC interface. (we are using the 2007 screens set, but
not the most recent version.) Innovative was able to put in a fix to
strip out the angle brackets therefore rendering the script innocuous.
This has not gotten rid of the error, merely took it down from high to
medium vulnerability which we feel we can justify in writing. Other
errors, like predictable cookie id sessions and findable directories,
rank as low or informational and so we don't think we need to address
Of course, each time we get a security scan there seems to be a new
revelation - something that has been there in previous scans is now
suddenly a vulnerability. So I wait in awe and terror of the next
Scottsdale Public Library
From: innopac-bounces at innopacusers dot org
[mailto:innopac-bounces at innopacusers dot org] On Behalf Of Skog, Aaron
Sent: Tuesday, February 03, 2009 11:47 AM
To: innopac at innopacusers dot org
Subject: [IUG] Ecommerce Not Complying with PCI Scan?
Hi Innovative Land,
If you have Ecommerce running for your system then you probably should
be aware of the PCI (Payment Card Industry) Data Security Standard. The
merchant you work with for credit card transactions will require your
ILS server to be scanned for security compliance. The scan will check
your server for open ports, vulnerabilities and its footprint.
Are any of you working on complying with the PCI security scan? Have
you contacted Innovative support for assistance?
Director of SWAN Services
skoga at mls dot lib dot il dot us
--- StripMime Report -- processed MIME parts ---
text/plain (text body -- kept)
This message was distributed through the Innovative Users Group INNOPAC
Public replies: INNOPAC at innopacusers dot org
Update your subscription options: