Have a client who failed a PCI security audit through Bank of America due to Clover login credentials being transmitted in plain text. Needs to be switched over to HTTPS. Confusing because Clover is specifically advertised as having end to end encryption.
Any help here?
Can you give some more details about what type of login? Is it on the POS or on Web? I believe all the APIs are encrypted and HTTP is specifically blocked. Oauth is recommended for other situations. Also Bank of America sell Clover POS solutions themselves so I would suspect its more of a client specific issue rather than a Clover infrastructure issue - more details would help track this down though.
Hi!
Thanks for the reply. Of course. Here is the report from the Trans Armor PCI Compliance audit:
Web Application Transmits Login Credentials Without Encryption
Description: There is a web application running on this host that transmits login credentials over HTTP, which is a clear-text protocol. As such, if an attacker was able to intercept traffic containing login credentials, it would be trivial to view user account and password information.
Remediation: All web application communications containing sensitive information should be transmitted using SSL/TLS (HTTPS). If re-direction from HTTP to HTTPS is utilized in an attempt to remediate this finding, please ensure that such redirection occurs on the server side of the system (for example via the use of the HTTP "Location" header element) and that redirection is not reliant upon the client (browser) side.
As you may understand, this is a big deal for my client. Any recommendations on how we might proceed?
All Clover services exclusively support HTTPS. If a HTTP connection is attempted, the connection will be redirected to HTTPS.
1 Person is following this question.
