NitroSell PCI-DSS v3.2.1 Customer Compliance Statement (v5, May 1, 2020)

Under the Payment Card Industry Data Security Standard (PCI-DSS), v3.2.1, NitroSell is required to provide a statement to its customers regarding its compliance, and its adherence to the principles and rules of the standard regarding customer data.

  • NitroSell is a PCI-DSS Level 1 Service Provider under PCI-DSS v3.2.1, and is listed in the Visa Global Registry of Service Providers [1]
  • We will, to the best of our ability, maintain that level of compliance, and to comply with any future updates to the standard within the timeframe mandated by the PCI-DSS Security Standards Council
  • Portal users are required to change their passwords every 90 days; in the event that you have not logged in for more than 90 days, you will be prompted and required to change your password on next login attempt; in the even that you believe your Portal password has been compromised, you should immediately request a password reset using the ‘Forgot Password’ link at https://portal.nitrosell.com/
  • Trustwave is contracted as the company’s Qualified Security Assessor (QSA) and conducts an annual on-site audit to verify compliance with the latest version of the standard
  • Weekly external and internal vulnerability scans are conducted by Trustwave and AlertLogic, both of which are Approved Scanning Vendors (ASVs); the results of these scans are available on request
  • Should any new vulnerabilities arise as a result of these scans, NitroSell will, to the best of its ability, attempt to address and resolve them within 1 week of them being reported
  • To meet PCI-DSS requirements, annual internal and external penetration tests are performed by NitroSell’s cybersecurity team, the results of which are available on request
  • NitroSell’s server/hosting environment is fully set up to correctly meet all technical requirements of PCI-DSS, including hardware firewalls, web application software firewalls, intrusion detection systems, network segmentation, one-hosting-function-per-server, comprehensive logging and access controls, etc.
  • Our servers, firewalls, intrusion detection systems, etc., constitute our Cardholder Data Environment (CDE)
  • Access to the NitroSell CDE is strictly controlled, based on the “principle of least privilege”, wherein users have access only to the information and resources that are necessary for their jobs
  • Our software is written to the highest standard of secure coding guidelines, with a particular focus on mitigating the OWASP top 10 vulnerabilities
  • NitroSell commits to keeping all customer data safe and private, and to never storing sensitive cardholder data on any permanent storage medium
  • Cardholder data is handled by NitroSell’s servers only to process payments on your webstore, or to bill you for our services (via tokenised payments), and this data is immediately discarded as soon as each transaction has been processed
  • In general, NitroSell commits to meeting all PCI-DSS requirements on your behalf when it comes to your eCommerce channel – our PCI-DSS coverage starts and ends with your webstore; you still have overall responsibility for your business’s compliance and for the compliance of your in-store activities, network, transactions, etc.
  • NitroSell’s QSA-signed Attestation of Compliance (AoC) is available on request

Should you have any questions, please contact NitroSell support.

[1] Visa Global Registry of Service Providers | Visa

Hi,

We are running into a PCI compliance issue.

See information below.
How do we address this?

THREAT REFERENCE

Summary:
Server supports TLS 1.0 protocol

Risk: High (3)
Port: 443/tcp
Protocol: tcp
Threat ID: misc_tls_tls10

Details: A service supporting outdated versions of TLS or SSL was detected. TLS 1.0 and SSLv3 are affected by known flaws which could allow
man-in-the-middle attacks, such as
BEAST and
POODLE.

Information From Target:
Service: https
Server accepted TLS 1.0 handshake with TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher

Hi Joe,

As per the standard, NitroSell has a risk mitigation plan in place for TLSv1. We currently still need to have it enabled because some customers are running legacy systems that do not support newer versions of TLS.

Our deadline for phasing it out is the end of May this year. Our support team is currently contacting every customer still using TLSv1 and assisting them in working around it, to enable us to switch off TLSv1 sooner, if possible.

If you would like a copy of our risk mitigation plan, please open a ticket, and the support team will be happy to supply it.

Regards,
Donogh