wwildman wrote:

Additional information...

Network solutions tech support says this about the problem.

"There are several issues that can cause the error you reported. The most common is due to trying to force HTTPS (SSL) server-side. Our SSL proxy doesn't allow server-side variables to detect HTTPS (secure). All server-side coding will always detect HTTP (non-secure), and for programs that attempt to redirect non-secure connections (http://) to a secure connection (https://) will result in an infinite loop and server error after 30 seconds (newer technology browsers such as Firefox will detect this loop almost immediately and give up before 30 seconds). We cannot change this setting on our servers. ... the security workarounds below are the only ways around this.
1) Assume the connection is secure by making all the links to the sensitive pages https, or
2) use a client-side program (like javascript) to detect if it's secure and redirect if it's not."

Wesley

Hi wwildman,

This does not look as beeing a CBSubs issue at all, but a hoster issue...

Authorize.net AIM needs to be https up to the webserver hosting the site, not only up to the proxies of your hoster. Otherwise unencrypted credit-cards information will be flowing outside of CBSubs, which is not allowed by PCI DSS compliance.

The two workarounds proposed by your hoster are not PCI DSS compliant and will not be allowed by authorize.net for AIM.

1) assuming connection is secure while it IS insecure between the hoster proxies and the webserver is not PCI DSS compliante.

2) client-side verification with Javascript puts the control of security in users (and hackers) hands, instead of keeping it safely encrypted inside CBSubs, which is encrypted and checked at each execution, and which communicates encrypted with the browser and with Authorize.net directly, and thus following highest standards PCI DSS rules and making your application possible to be PCI DSS certified.

Your hoster's security specialists are certainly aware of the above, and you should talk with them about a hosting plan that can be PCI DSS compliant for E-Commerce applications, means does the https encryption/decryption directly in a secure way on the server running the php script, and thus allowing the PHP script to verify that the encryption is really secure.

Hope the above helps clarifying the hosting issue you have. You can forward the reply to your hoster, and we are happy to clarify the Visa and MasterCard PCI DSS security requirements for E-Commerce.

Hi Wesley,

- CBSubs does not have a requirement of being PCI DSS:

E.g. Paypal and Yellownet psps do not have this requirement. That requirement comes from Authorize.net using authorize.net Advanced integration (AIM).

CBSubs 1.1 will have additional gateways, which do not require PCI DSS compliance.

Even if for Authorize.net AIM the PCI DSS requirement does not come from CBSubs, it is a good point to make Authorize.net customers more aware of this requirement. Also it could be useful to make customers aware that appart from Paypal, any other payment solution requires time (between 1 week and 2 months) to be setup at the Payment Service Provider and might require additional prerequisites.

- If you want to be PCI DSS certified, It's not the hoster nor a particular site but your site (and the server on which the site runs) and your company/yourself that needs to undergo the certification. Obviously the hoster and CBSubs must be certifiable (CBSubs and JoomlaPolis Business Quality hosting are both certifiable).

As authorize.net requirements are not met by your hoster today, your options obviously are:

- If you are not married with Authorize.net, change PSP. Very very shortly upcoming CBSubs 1.1 will give you more options there.

- If you are not married with your hoster, simply change hoster. There are plenty of hosters around, but you should go for an E-commerce business-class hosting. We do provide business class hosting as well (see "Hosting" menu at top), and obviously meet Joomla, CB and CBSubs prerequisites, as well as a very high webserver security level.

- Any other payment solution for authorize.net AIM will require you for PCI DSS certification, so that won't work around that issue.


EDIT: fixed typo

Post edited by: beat, at: 2010/11/23 10:34