Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [pci-dss]

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide security standard that was formed with the support of credit card companies to align their security standards.

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide security standard that was formed with the support of credit card companies to align their security standards.

155 questions
7
votes
5 answers

Timeout ssh sessions after inactivity?

PCI-DSS 3.0 requirement 8.1.8 states: "If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session." Same was in PCI-DSS 2.0 requirement 8.5.15. The first, and most obvious, way to…
Insyte
  • 9,394
  • 3
  • 28
  • 45
7
votes
8 answers

What is the best Web Application Firewall for IIS?

What is the best Web Application Firewall(WAF) for IIS? What makes it better than the others? How useful is it at blocking attacks against poorly written code, otherwise known as an Intrusion Prevention System (IPS)? WAFs are required by the…
Rook
  • 2,655
  • 6
  • 27
  • 35
7
votes
3 answers

pci compliance on IIS 6.0

I have a website that has just failed a PCI Compliance check - The report said that the site supported weak ciphers. I thought I'd already disabled that by turning off SSL 2.0 on the webservers. (It refuses to load a web page if I tell the browser…
Colin Mackay
  • 173
  • 7
6
votes
1 answer

How to maintain PCI compliance on a LAMP server when repositories don't keep up with versions

We run Ubuntu Lucid 10.0.4 as the foundation of our LAMP environment. We are trying to become PCI compliant so that we can pass CC info through our server. We have run some third-party scans on our servers to begin the certification process and have…
Jared Green
  • 71
  • 1
  • 6
6
votes
1 answer

IPv6: Should I have private addresses?

Right now, we have a rack of servers. Every server right now has at least 2 IP addresses, one for the public interface, another for the private. The servers that have SSL websites on them have more IP addresses. We also have virtual servers, that…
Reece45
  • 709
  • 4
  • 15
5
votes
3 answers

CentOS, OpenSSH, PCI, CVE-2016-10009

TrustWave has become a little better in accommodating CentOS in their scans - I can now at least select "I have backported software" when I file a dispute. But they are still providing excellent job security by requiring hours of painstaking…
cdonner
  • 381
  • 1
  • 5
  • 15
5
votes
0 answers

Auditd in a PCI-DSS-compliant Linux cluster

I'm familiar with some of the more common ways of configuring a Linux server to be compliant with PCI-DSS 3.2, at least to the requirements of SAQ A. A common concern is requirement 8.5 which requires that: Generic user IDs and accounts are…
richard
  • 151
  • 3
5
votes
1 answer

Limit number of concurrent users switching to root account?

This is for Ubuntu 14.04 and Centos 7. I need to limit the number of users actively running as root. i.e. Logged in as root on the CLI. Basically, I want only one user at a time to be able to run commands as root. The purpose here is auditing. I…
JDS
  • 2,598
  • 4
  • 30
  • 49
5
votes
0 answers

Virtual terminal PCI compliance

The PCI DSS compliance rules say that if we use any computers to take card payments via a web based virtual terminal, then those PCs must be isolated from the rest of the IT network (otherwise the entire IT network comes under the scope of PCI…
Simon White
  • 151
  • 1
5
votes
2 answers

Options for PCI-DSS on AWS - file integrity monitoring and intrusion detection

I need to deploy some file integrity monitoring and intrusion detections software on AWS instances. I really wanted to use OSSEC, however it does not work well in an environment where servers can auto deploy and shut down based on load, because it…
Brill Pappin
  • 161
  • 1
  • 4
5
votes
2 answers

SSL/TLS Cipher Priority

I am working on trying to make sense of what is required for both PCI DSS compliance as well as FIPS compliance in relation to SSL/TLS cipher suites. I have been reading the guide here and here. However, I have not been able to find anything that…
John
  • 2,276
  • 7
  • 44
  • 60
5
votes
5 answers

Updating OpenSSH to latest stable version via yum

I am running CentOS 5.7 and need to upgrade OpenSSH to the latest stable version (PCI compliance issues). However, the most recent version available via the CentOS yum repository is 4.3p2. How can I update to the latest stable version using yum? …
smusumeche
  • 643
  • 4
  • 8
  • 19
4
votes
1 answer

Why is TLS1.0 still seemingly supported on a "minimum TLS1.2" web app service on azure?

We have an app service on Azure, and as Microsoft made available recently (april 30 2018), we now have an option to require TLS 1.1 or 1.2 : We run hackerguardian scans for PCI compliance, yet, they still return failure on TLS support : I also…
Kraz
  • 153
  • 6
4
votes
2 answers

How do I disable TLS 1.0 without breaking my IIS/ASP.NET websites?

We are running Windows Server 2008 R2. TLS 1.0 has been non-PCI compliant for some time now, and disabling it via the windows registry is easy. In the past, though, disabling TLS 1.0 has caused 2 problems for us: It's impossible to connect to the…
HerrimanCoder
  • 141
  • 1
  • 1
  • 4
4
votes
4 answers

How to enable TLS 1.1 **minimum** on vsftpd

I'm trying to secure my infrastructure to meet the PCI-DSS standard using securitymetrics.com. The standard mandates the use of TLS 1.1 minimum (with a CBC cipher). TLS 1.0 is not allowed. While securing ftp (vsftpd), I have disabled sslv2 and…
adminz
  • 397
  • 2
  • 6
  • 20
1
2
3
10 11