Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [pci-dss]

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide security standard that was formed with the support of credit card companies to align their security standards.

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide security standard that was formed with the support of credit card companies to align their security standards.

155 questions
4
votes
4 answers

Options for PCI-DSS 11.5 - Deploy file integrity monitoring software

I'm looking for options to be compliant with PCI-DSS section 11.5 for some servers I manage at the datacenter. There are several servers (less than 20) and they are mostly CentOS5, but there are some RHEL4 and Solaris9 Sparc. I believe Tripwire,…
dialt0ne
  • 3,065
  • 20
  • 27
4
votes
5 answers

How Can I Enable MSS Group Policy Settings Windows Server 2012

In the past I have gone through a server hardening checklist on a Windows Server 2008 web server for PCI compliance. Basically there are a lot of Group Policy, Registry, and other settings that need to conform to the industry best practices for…
ibsk8in31
  • 103
  • 2
  • 2
  • 6
4
votes
1 answer

PCI DSS compliance on a virtualized server running Xen

I have a server running xen with HVM and would like to make one VM PCI compliant. I've read the PCI virtualization guide and it says that I need to make sure there is no information leakage between VM's. How can I make sure each OS is unable to…
devnill
  • 307
  • 1
  • 2
  • 19
4
votes
2 answers

Making our small business network PCI-DSS Compliant

We're required to become PCI-DSS compliant so we can process client payments via our website and in the office. Our network is made up of a single SBS 2008 server and 10 workstations, all connected to a single LAN on a Dell Switch. The Internet…
Reado
  • 702
  • 2
  • 10
  • 25
4
votes
2 answers

How do I properly disable cgi scripts e.g. guestbook.cgi on WHM

After a PCI scan identified guestbook.cgi as a risk, I want to disable the cgi-scripts installed by WHM (v11, running on CentOS5). I would like to do this "properly" using the WHM Web interface if possible (so this configuration survives an update…
agtb
  • 226
  • 2
  • 8
4
votes
3 answers

CentOS PCI Compliance assessment

We are currently working our way through a PCI compliance assessment on our server running CentOS. We are getting a lot of 'severe' issues with suggested fixes. The suggestions to rectify the issues are mostly to update the packages to the latest…
dannymcc
  • 2,717
  • 10
  • 48
  • 72
4
votes
3 answers

Trustwave PCI Complaince scan fails for fully patched CentOS 5.5

I have a fully patched CentOS 5.5 server that is failing the Trustwave PCI compliance scan. The items it is complaining about is openssl < 0.9.8.o. rpm -q openssl shows: openssl-0.9.8e-12.el5_5.7 The apache header banner shows: Server:…
John P
  • 1,679
  • 6
  • 38
  • 59
4
votes
2 answers

PCI Compliance: Wireless Analyzer that "Detects" rogue AP's on the LAN?

We're trying to fulfill the PCI Compliance requirement for a Wireless Analyzer that detects the presence of rogue AP's on the internal LAN. Questions: Are there a class of devices that will accomplish this requirement? How does such a device…
I.T. Support
  • 601
  • 2
  • 11
  • 27
4
votes
1 answer

SQL Server encryption - rotate keys for PCI compliance

PCI compliance requires annual rotation of keys. The definition of "rotation of keys" that I keep coming across is decrypting your data, then re-encrypting with a new key. Really? Everyone out there is decrypting / encrypting all their encrypted…
Hank
  • 41
  • 1
  • 2
4
votes
3 answers

With regards to Windows Updates, just how screwed are we?

We have a small "secured network" in our office. And by small I mean it's a Windows 7 PC connected to a firewall which connects to an internet connection. It's for processing card transactions in compliance with PCI DSS. One of the requirements of…
One Monkey
  • 179
  • 1
  • 11
3
votes
6 answers

what's the difference between PCI and SAS 70 compliance when I am shopping for a hosting company to stick my servers in?

I am looking for hosting, ec2 is SAS 70 compliant (almost) and I would have gone straight for PCI compliant and tier 4 only but I'm considering SAS 70. What are the differences or similarities?
Stewart Robinson
  • 1,155
  • 4
  • 12
  • 24
3
votes
1 answer

is AWS Glue PCI DSS compliant?

I'm new to the PCI world, but need to research ETL (extract-transform-load) solutions for my team to move data from one place to another. I looked in amazon's list of PCI DSS compliant resources, and I noticed Glue is not there. Does this mean Glue…
JonTroncoso
  • 43
  • 5
3
votes
2 answers

Turn off TLS1.0 on Apache for PCI compliance

Pci DSS compliance stated that by June 2016 TLSv1.0 must be disabled. My cursory search taught me that a -TLSv1 in the SSLProtocals portion of the apache config would care for it (right next to the -SSLv3). I have tried each of the following lines…
wruckie
  • 678
  • 6
  • 22
3
votes
1 answer

PCI DSS Requirement to prevent credit card data in logs, in conflict with having a search box anywhere?

We're currently setting up our existing web service to be PCI-DSS compliant and we're a little stumped on one of the compliance requirements. In short, we need to ensure a credit card number is never stored anywhere in plain text. Our CC submission…
xmakina
  • 31
  • 1
3
votes
2 answers

PCI Compliance: install Apache 2.4.17 on Ubuntu 14.04.3?

I have a VPS running Ubuntu 14.04.3. The latest Ubuntu-supported version of Apache for this release is Apache 2.4.7. But the company for which I configured the server is seeking PCI compliance, and has been denied due to security vulnerabilities…
user548958
  • 31
  • 3
1 2
3
10 11