A customer called me about failing a PCI Compliance scan. Merchant retailers need to have a Merchant Account with a reputable company (a 3rd party) which allows them to accept credit cards.
The complaint was that the computers that I service failed the scan and that I needed to find out a way to "clean them up" this time. I often do have to clean the business computers there from spyware & malware they pickup, as they have a high employee turnover. (Link to software I use to keep computers clean) Expecting there to be a virus or spyware problem on the computer that processes credit cards, I connected remotely (link to service I provide). But soon found there were no issues, so everyone there has been watching where they surf. See my post about how YOU DO actually influence why you get spyware.
After speaking with the customer more and doing my own research, I found that the credit card processing company they're using hires a security firm, SecurityMetrics, to do network scanning on their customers computers, who actually are processing the cards themselves to take payment. Essentially, the credit card processing company hires out this security monitoring task. Which is smart, since the PCI compliance laws (link to discussion about this, maybe I have a rant/exposé coming about Cynergy--or whatever mine is, +Authorize.net Gateway) are changing all the time. While SecurityMetrics, as a company does sound a little shady and the information I got from the customer was sketchy as to the real problem. I did a little searching around, and got a better idea of what I was dealing with. This is part of the reason I'm writing this now, hopefully you'll be provided with more information or ask the right questions.
Short graphic about how this works.
Scanning customer computers, is this legal? Technically, no, since they are knowingly accessing unauthorized information. However, through the terms of your merchant account, you submit to this, for security reasons. All the while, you don't exactly know when they may do this. But then again, you don't really know when a hacker could try the same thing, so it's a safety mechanism for the credit card processing company.
When I received a forwarded E-mail regarding the results of the "scans" that were done on particular dates, by SecurityMetrics, I understood a little better what was going on. (result pages here with some details redacted)
I was authorized by the company I was working for, to speak to a representative at the SecurityMetrics company. Right away I was handed to a "scan technician" who discussed the results with me. SecurityMetrics will NOT offer advice on how to fix the problem, nor truly any specific details of how their scans are done, nor what your "exact" problem is.
The issue was initially reported as "Avirt Gateway Suite..." "Injection Vulnerability... (see emails). Initially, I thought they may have been scanning the website I also host for this customer, instead of the actual PC's they're processing cards from at their location, but soon I was able to verify with the scan technician, the IP addresses that were being monitored by the firm. They at least give you this as a starting point.
There were more details in the reports I mentioned earlier and with that, I was able to use this information to piece together this issue for the customer. Come to find out, it was only port 8080, a management port that had been open on a router at the site. To me this seems fairly common, but it did flag the customer from a 1, to a security threat factor of 4.