What is PCI Compliance?

PCI-DSS [Payment Card Industry Data Security Standard] is the global data security standard that any business of any size must adhere to in order to accept payment cards, and to store, process, and/or transmit cardholder data. Businesses must perform regular scans to ensure their ongoing adherence to PCI compliance standards. For more information please see the following resources:

PCI Compliance Standards Council: https://www.pcisecuritystandards.org

ComplianceGuide.org: https://www.pcicomplianceguide.org/pci-faqs-2/

Top Of Page

Is WineDirect PCI Compliant?

At WineDirect, we take security very seriously and are pleased to announce the achievement of Payment Card Industry Data Security Standard (PCI DSS) Service Provider Level 1 Compliance. Level 1 demonstrates the most stringent compliance standard for the safe handling of credit cardholder data. The Attestation of Compliance after a rigorous 8 month audit process. You can rest easy knowing WineDirect has satisfied adherence to the same expectations as platforms such as Shopify and BigCommerce.

Top Of Page

Do you have signed documents that WineDirect is PCI compliant?

Yes. You can request these documents by emailing security@winedirect.com

Top Of Page

How is credit card data handled in WineDirect?

Credit card data is stored for clubs, recurring transactions, and refunds. Credit cards data is encrypted and is never exposed. WineDirect uses a Triple DES [3DES] encryption algorithm for credit cards. Learn More >

 

Top Of Page

How are WineDirect's databases secured?

WineDirect's databases are in a DMZ behind a VPN which ensures that there is no direct access to our production or staging databases.

 

Top Of Page

How are WineDirect's servers secured?

WineDirect's servers are hosted with Amazon's cloud based web services (AWS) which are Level 1 PCI-DSS certified. This means that Amazon's compliance covers all requirements as defined by PCI DSS for physical infrastructure service providers where the physical servers are housed. Learn More >

 

Top Of Page

My PCI Compliance Scan failed, what should I do?

First review the full scan report that was sent to you by your PCI compliance scan provider. The most common failure notice, and one that you can address, is failure due to TLS 1.0 open connections.

What you should know

TLS 1.0 connections are being phased out over the next few years, however all major eCommerce providers still use these connections for some functions. These connections are still PCI compliant if a risk mitigation plan is in place by the eCommerce provider during the transition period. A vast sector of web users have not yet updated their browsers and continue to use TLS 1.0 only systems.

Existing software and systems have a grace period (June 30th, 2018) to update their systems as customers and browsers work to update to newer systems. These open connections can be used by existing software vendors as long as a risk mitigation plan is in place for the transition period.

How can I resolve this on my scan?

During this transition period your scan provider needs to know the steps that your eCommerce provider [WineDirect] is taking to provide a secure environment during this period and has a risk mitigation plan in place. Please download and modify any bold text in the document below and send it to your scan provider for TLS 1.0 PCI failures. 

PCI TLS Connection Risk Mitigation Plan

 

Top Of Page

 

What are WineDirect's URLs and IP Addresses?

The WineDirect platform is comprised of several applications all running on different URL's and IP addresses. The platform is hosted in Amazon's Cloud infrastructure and by design all IP Addresses are dynamic and may change at any time.

If you work for a large company, enterprise or operate on a shared network, there may be enforced network or internet security by restricting access to only pre approved URLs that are whitelisted. To ensure the WineDirect platform applications will work you will need to either whitelist the wildcard *.vin65.com to approve all URLs or whitelist the list of URLs in use below if wildcards are not permitted. Permitting access by IP address is not available as the IP address are dynamic and change frequently.

If your payment gateway is Chase Paymentech, you will need to register all WineDirect outbound IP addresses with Chase to ensure payment transactions will go through. See below for the list of IP addresses to register.

Domains to whitelist
*.vin65.com
*.winedirect.com
winedirect.auth0.com

Entire list of URLs to whitelist - if wildcard is not permitted.

Austrailan Clients
siteadmin.aus.vin65.com
siteadmin1.aus.vin65.com
siteadmin2.aus.vin65.com
pos.aus.vin65.com
webservices.aus.vin65.com
sftp.aus.vin65.com
 

North America and all other Regions

pos.vin65.com
pos1.vin65.com
pos2.vin65.com
pos3.vin65.com
pos4.vin65.com
pos5.vin65.com
siteadmin.uswest.vin65.com
siteadmin.uswestvpc.vin65.com
siteadmin20.uswest.vin65.com
siteadmin21.uswest.vin65.com
siteadmin22.uswest.vin65.com
siteadmin23.uswest.vin65.com
siteadmin24.uswest.vin65.com
siteadmin25.uswest.vin65.com
siteadmin26.uswest.vin65.com
siteadmin27.uswest.vin65.com
siteadmin28.uswest.vin65.com
siteadmin29.uswest.vin65.com
siteadmin30.uswest.vin65.com
siteadmin31.uswest.vin65.com
siteadmin32.uswest.vin65.com
siteadmin33.uswest.vin65.com
pos.uswest.vin65.com
pos.uswest2.vin65.com
webservices.vin65.com
webservices.uswest.vin65.com
sftp.uswest.vin65.com
rms.uswest.vin65.com
rmsshipping.uswest.vin65.com
winedirect.auth0.com

 

Outbound IP addresses. (Required by Chase Paymentech)
54.241.148.236 - added June 13th 2013
54.241.167.233 - added June 13th 2013
52.36.209.90 - added February 16th 2016
52.41.45.172 - added June 21st 2016

 

Outbound IP addresses. (Required by Plug n Pay)
   44.230.222.99
   52.35.91.238
   44.224.139.144
   34.213.204.46