The error that cannot pass is "HTTP Server Username Probing", and here is the latest recommendation from my web host:
So basically I need to turn off SEO URL every time for the scan and turn it back on...doesn't sound right?PCI compliance with this particular 'user-probing' issue is not passing because your website has certain rewrite rules which are catching non existent pages. For example, the following URL is an example where the PCI scan expects either 404 or 403 error (i.e not found/forbidden):
Instead, since there is no such page, your website returns 200 OK status and displays an HTML page instead.
We can overcome this, by disabling the SEO URLs until the scan completes, but it would be really much better to mark it as false-positive, as described in your previous ticket.
My compliance company is Trustwave, and I see above that somebody has managed to be compliant with them.
I am using Opencart 1.5.0 and the native Authorize.net module with an SSL certificate.