PCI compliance scan port 80

[Nico Albrecht]

Did somebody ever come around this. Credit card processing company wants port 80 closed .

Client is trying to be compliant with our credit card processing. They believe if we close port 80 on the router we can pass the scan test.

Closing port 80 seems for me absolutely odd as an request since every router ships with port 80 open. Any input or ideas will help. Bank in question is AIB.

 

[arnydnxluk]

Port 80 on what connection?

If it's their workplace, then close port 80 and host websites on a more appropriate setup.

If this is in relation to processing cards on a website then I've not heard of this before. Redirecting all HTTP traffic to HTTPS and setting up HSTS should be enough to comply?

 

[Nico Albrecht]

no web-server running on it , just a cctv system using port 80 for remote app control. I can change the port on the cctv system but found it odd to close port 80 in general.

 

[arnydnxluk]

I would close port 80 but allow certain IP addresses through or require remote workers to connect via VPN to access the CCTV system. Then you're greatly increasing security while meeting the PCI compliance requirements – two birds; one stone!

 

[ffox]

just a cctv system using port 80 for remote app control

That's probably the issue. You either need to switch to a different port, or filter port 80 to limit access to known IP addresses. Check out -

https://www.experts-exchange.com/questions/26721208/PCI-DSS-scan-failure-on-http-port.html

 

[WESH.UK]

This is actually not uncommon from decent security folk to request this, the fact that its unusual is the shame.

Essentially, by having port 80 open to the world, on your own router, assuming its their place of business, and is a location where they also process or store payments and client info, you would be giving hackers a door to try to break into.

Closing port 80, essentially removed that door completely, and thus shuts down a common way for hackers to try to attack your router to get access to your network, and even your CCTV too, so they could learn who is in and what time the building is empty and what's kept in there.

Its not always the digital info that's at risk, its the devices on the network too that can expose you to risks you hadn't even considered.

Gain access to a router, and now you have access to every single device on that network.

Peoples phones, VOIP systems to re-route calls through premium numbers, CCTV, network connected card readers, and of course some remotely monitored alarms too.

 

[Nico Albrecht]

To be honest the open port forwarding to the cctv doesnt really concern mt from a point of security. There is a hardware stateful firewall in place and the CCTV uses strong passwords. What confuses me is why they are so anal about port 80 as there are other ports open for other services which they seem not to mind. I only assume their scanning software is not able to see the actual cisco firewall in place.

 

[ffox]

I only assume their scanning software is not able to see the actual cisco firewall in place.

Probably correct. Another case of Artificial Intelligence actually being Artificially Dumb.