Expand my Community achievements bar.

Webinar: Adobe Customer Journey Analytics Product Innovations: A Quarterly Overview. Come learn for the Adobe Analytics Product team who will be covering AJO reporting, Graph-based Stitching, guided analysis for CJA, and more!

PCI Failures Due to Cookies

Avatar

Level 5

Hello,

 

We have hit PCI issues due to Adobe Cookies and are unsure how to move forward correcting them. They appear to all be Analytics related and we have set the 'Only Write Secure Cookies' option in the Analytics Plug In.

 

Here are the ones that were called out by the scan:

Cookie Does Not Contain the "HTTPOnly" Attribute:

  • sc_previousPageName=(referring page)
  • intCmpCode=(URL Parameter)
  • s_evar94=(page title)
  • s_evar101=(URL Parameter)

Cookie Does Not Contain the "Secure" Attribute:

  • test=cookie
  • TEST_AMCV_COOKIE=T

We believe that the ones missing the 'Secure' attribute come from the VisitorAPI.js, but we don't know how to update or disable it. There was another post here asking to do so but there wasn't resolution unfortunately. 

 

The evar ones appear to be generated from the Adobe Analytics Plug-Ins, such as 'getPreviousValue' and 'getValOnce' - but Adobe notes that these are not supported by standard support.

 

Obviously PCI compliance is of utmost importance, so we're hoping that others have encountered this and found ways to resolve the issues, any suggestions or advice is greatly appreciated.

 

Thank you!

Robbie

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

3 Replies

Avatar

Community Advisor

Hi, on your Experience Cloud ID Service extension, you should be able to set secure cookies with this:

 

Jennifer_Dungan_0-1724873822553.png

 

 

The other cookies as you mentioned are coming from Adobe plugin code (getPreviousValue and getValOnce, etc). I don't use a lot of the Adobe plugins, but I don't believe those could ever be set to HTTPOnly because by definition, that is a cookie that is set by the server, and only allows the server to manipulate it... and anything you set with a plugin wouldn't comply...

 

 

However, there may be alternate available to you...

 

Activity Map will track the "previous page name" in Activity Map Page (and I believe this uses session storage, not cookies - and shouldn't have the security issue); and as for "getValOnce", you can create a segment using "Non Repeating Instance" to essentially get the same thing.

https://experienceleague.adobe.com/en/docs/analytics/components/segmentation/segmentation-workflow/s...

Avatar

Level 5

Thank you @Jennifer_Dungan ! We'll be updating the Experience Cloud ID extension right away, we didn't know about that one.

 

Interesting idea with the Activity Map! We'll work with some of our super users to see if that can work. 

 

Great ideas, thanks for chiming in!

Avatar

Community Advisor

You're welcome. I hope you can get what you need with some work-arounds!