• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

5001 port forwarding failed PCI compliance scan?

Status
Not open for further replies.

danieltan

Joined
Dec 29, 2017
Messages
6
Reaction score
0
I recently installed an on-premises 3CX server, and opened up port 5001. During a recent PCI compliance scan, our merchant account administrator failed our scan, because "A service supporting outdated versions of TLS or SSL was detected."

Some background info. If a business processes customer credit card via the Internet, the merchant account service provider requires the business to be PCI compliant. When a business is PCI compliant, it means the customer credit card information is secure. Otherwise the merchant account provider will cease offering credit card processing to the business.

The PCI scan report follows:
-------------------------------------
IP Address: 70.121.63.xxx (which is our public IP)
Host: 70.121.63.xxx (which is our public IP)
Path:

THREAT REFERENCE

Summary:
Server supports TLS 1.0 protocol

Risk: High (3)
Port: 5001/tcp
Protocol: tcp
Threat ID: misc_tls_tls10

Details: A service supporting outdated versions of TLS or SSL was detected. TLS 1.0 and SSLv3 are affected by known flaws which could allow
man-in-the-middle attacks, such as
BEAST and
POODLE.

Information From Target:
Service: commplex-link
Server accepted TLS 1.0 handshake with TLS_DHE_RSA_WITH_AES_128_CBC_SHA cipher
 
Funny you should mention this, I did see recently a post from one of the 3CX engineers on here (and I quote) :

"3CX's SP2 update has an increased pack of security and had deprecated a bunch of SSL3 and TLS protocols / ciphers for PCI reasons"

And a quick side note. If you are taking credit card details over the phone and wish to record phone calls and remain PCI Compliant, I highly recommend the Insperix bolt-on Application for 3CX:
http://www.insperix.com/
 
Last edited:
Hello @danieltan

Please note that we are planning to migrate from TLS 1.0, however not all of our supported phone manufacturers support higher versions. Once everyone releases a firmware update that supports the current version of TLS we will release an update disabling it from the web servers configuration.
 
  • Like
Reactions: OlegR_3CX
I always route the cc machines out on an IP address that has no port forwarding just for this reason.
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,612
Messages
748,816
Members
144,725
Latest member
NGPMH
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.