1. If my school has an onMessage website, what URL should I scan?

The correct URL to scan if you have a onMessage website is your login domain, for example https://schoolname.myschoolapp.com. You should also supply your scan vendor with the URL of your giving page (or any page that accepts credit cards).

Since all SSL activity and no credit card transactions happen on your front end website, the public URL of your website does not need to be scanned for PCI purposes.

2.  If my school has a Podium website, what URL should I scan?

The correct URL to scan if you have a Podium website is your public domain with "www" (for example http://www.example.com). 

3. My PCI Scan failed with the error: "web server http header internal ip disclosure"

This may happen if you scan the root domain of your website (example.com). If configured correctly, the root domain DNS for your public URL points at a redirect server that redirects all requests for the root domain (example.com) to the www record (www.example.com).

This is not a failure of the scan so much as it is scanning the wrong URL.

4. My PCI Scan failed with the error: "SSL Certificate Expiry"

This may happen if an onMessage school scans their public URL (www.example.com). Beginning in November 2014 WhippleHill stopped renewing certificates for onMessage front end websites because all SSL transactions now happen through either myschoolapp.com or onwhipplehill.com. You can read more about that change in our SSL White Paper.

This is not a failure of the scan so much as it is scanning the wrong URL if you have an onMessage site.

For schools that still have a Podium web site, this particular error should be investigated by WhippleHill support.

5. My PCI Scan failed with the error: "SSL Certificate with Wrong Hostname"

This may happen if an onMessage school scans their public URL (www.example.com). Beginning in November 2014 WhippleHill stopped renewing certificates for onMessage front end websites because all SSL transactions now happen through either myschoolapp.com or onwhipplehill.com. You can read more about that change in our SSL White Paper.

This is not a failure of the scan so much as it is scanning the wrong URL if you have an onMessage site.

For schools that still have a Podium web site, this particular error should be investigated by WhippleHill support.

6. My PCI Scan failed with the error: "OpenSSL ChangeCipherSpec Man in the Middle Vulnerability, CVE-2014-0224"

This is happening because the scanning application is misinterpreting the results of the scan and reporting a vulnerability when there isn't one. 

You can see in this knowledge base article below that our servers are running a version (11.6.0) that is listed in the "Versions known to be not vulnerable" column.

https://support.f5.com/kb/en-us/solutions/public/15000/300/sol15325.html

On the link above there is a note:

Note: NATIVE SSL ciphers on affected versions are not vulnerable. However, some vulnerability scanners may generate false positive reports when run against BIG-IP virtual servers that are configured to use ciphers supported by the NATIVE SSL stack. This includes all ciphers enabled by the default cipher string.

7. My PCI Scan Failed with the Error: TLSv1.0 Supported

If the Trustwave Vulnerability Scan Report gives a failing PCI compliance status because of "TLSv1.0 Supported" as the vulnerability noted, it is because of support for older browsers. The following exception may read: "Note to scan customer: This vulnerability is not recognized in the National Vulnerability Database. TLS v1.0 violates PCI DSS and is considered an automatic failing condition."

At this time TLSv1.0 includes support of older browsers and disabling it would cause issues with a good number of the browsers versions your constituents still use to access the site.

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf

It says the following: Note: SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place. We will begin investigating whether it is possible for us to remove TLSv1.0 as an option and what impact that may have on older browsers.

To address this PCI scan failure please contact Blackbaud Product support for assistance.

8. I can't connect to SSL pages from older browsers.

On 7/1/15 Blackbaud will be making a change to how SSL functions on all Podium and “ON” Products in response to a change made to the PCI DSS Standard in April 2015. The change involves disabling TLS 1.0 for Podium and "ON" Products on July 1, 2015. This change will also improve PCI scan results. 

When TLS 1.0 is disabled, some older browsers will no longer have access to the App or Podium. 

Incompatible browsers include:
  • Chrome v21 and prior on all OS
  • Stock Android Browser v4.3 and prior
  • Firefox prior to v23 on all OS
  • Internet Explorer v9 and prior on Windows Vista (Server 2008) and prior
  • Mobile Internet Explorer v9 and prior
  • Opera v7 and prior
  • Safari v6 and prior
  • Safari Mobile v5 and prior
 
TLS 1.1 and 1.2 can be enabled on the following browsers but is disabled by default:                                                  
  • Internet Explorer v8-10 on Windows 7 and newer (for more information, click here)    
  • Stock Android Browser v4.4-v4.4.4 (all Kit Kat)
  • Firefox v23-26
  • Mobile Internet Explorer v10
  • Opera v8
  • Opera v10-12.17

9. What Kind of Error Message will I see if my browser does not support TLS 1.1 or 1.2?
 

This is an example error from Internet Explorer v8 on Windows 7 with TLS 1.1 and 1.2 disabled.
 

User-added image


10. How to Enable TLS 1.1 and 1.2 on Internet Explorer version 8-10 on Windows 7


After the TLS change described above is made, customers connecting with Internet Explorer version 8 to 10 on Windows 7 will need to enable TLS 1.1 and 1.2 support in their browser manually. In those browser versions it is disabled by default. Also, keep in mind that you may have other issues unrelated to SSL when using older browsers such as Internet Explorer versions 8 to 10.

To enable TLS 1.1 and 1.2:

  1. Open Internet Explorer.

  2. Click on the "Tools" menu.

  3. Select "Internet Options"

  4. Select the "Advanced" tab and scroll to the bottom.

  5. Using the image below, disable older and less secure versions of SSL and TLS (in red).

  6. Using the image below, enable TLS 1.1 and 1.2 (in green).

User-added image