Comments on: PCI Compliance and Portcullis http://www.webdevelopmentbygeorge.com/2009/11/10/pci-compliance-and-portcullis/?utm_source=rss&utm_medium=rss&utm_campaign=pci-compliance-and-portcullis ColdFusion, Flex, and JavaScript Programming Tue, 25 Oct 2011 23:23:06 +0000 hourly 1 http://wordpress.org/?v=3.1.4 By: George http://www.webdevelopmentbygeorge.com/2009/11/10/pci-compliance-and-portcullis/#comment-14 George Tue, 19 Jan 2010 15:39:40 +0000 http://www.webdevelopmentbygeorge.com/?p=181#comment-14 We actually did run into this and we were able to show our compliance company that since the CFToken is never used without the CFID it truly is a unique and random generation. They were able to add an exception for this to the compliance process. We actually did run into this and we were able to show our compliance company that since the CFToken is never used without the CFID it truly is a unique and random generation. They were able to add an exception for this to the compliance process.

]]> By: Joel Richards http://www.webdevelopmentbygeorge.com/2009/11/10/pci-compliance-and-portcullis/#comment-13 Joel Richards Sat, 19 Dec 2009 22:02:22 +0000 http://www.webdevelopmentbygeorge.com/?p=181#comment-13 Hi George-- I just implemented a portcullis on a site that was failing PCI compliance tests due to cross-site scripting vulnerabilities and it cleared that issue right up. My site is still failing because the server it's hosted on uses coldfusion session management, not J2EE session management. I asked the host to turn on J2EE session variables, but they said they can't. CF_token is set as a UUID, so I'd think this would pass muster, but it's not. Have you run into this issue? Do you have any ideas? thanks, Joel Hi George–
I just implemented a portcullis on a site that was failing PCI compliance tests due to cross-site scripting vulnerabilities and it cleared that issue right up.
My site is still failing because the server it’s hosted on uses coldfusion session management, not J2EE session management. I asked the host to turn on J2EE session variables, but they said they can’t. CF_token is set as a UUID, so I’d think this would pass muster, but it’s not. Have you run into this issue? Do you have any ideas?
thanks,
Joel

]]>