Hello,
We have hit PCI issues due to Adobe Cookies and are unsure how to move forward correcting them. They appear to all be Analytics related and we have set the 'Only Write Secure Cookies' option in the Analytics Plug In.
Here are the ones that were called out by the scan:
Cookie Does Not Contain the "HTTPOnly" Attribute:
- sc_previousPageName=(referring page)
- intCmpCode=(URL Parameter)
- s_evar94=(page title)
- s_evar101=(URL Parameter)
Cookie Does Not Contain the "Secure" Attribute:
- test=cookie
- TEST_AMCV_COOKIE=T
We believe that the ones missing the 'Secure' attribute come from the VisitorAPI.js, but we don't know how to update or disable it. There was another post here asking to do so but there wasn't resolution unfortunately.
The evar ones appear to be generated from the Adobe Analytics Plug-Ins, such as 'getPreviousValue' and 'getValOnce' - but Adobe notes that these are not supported by standard support.
Obviously PCI compliance is of utmost importance, so we're hoping that others have encountered this and found ways to resolve the issues, any suggestions or advice is greatly appreciated.
Thank you!
Robbie
