Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [pci-dss]

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide security standard that was formed with the support of credit card companies to align their security standards.

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide security standard that was formed with the support of credit card companies to align their security standards.

155 questions
3
votes
1 answer

Password policies for Google Cloud Platform

Is there a way to set password policies for accounts accessing a project on Google Compute Platform? Specifically, I need to meet the PCI-DSS requirements, which include things that pam would normally handle on ubuntu. These include expiring…
jimm101
  • 133
  • 5
3
votes
4 answers

PCI Compliant hosting? (able to take credit cards)

I've been using 1and1 hosting for a while now and overall I am satisfied with their level of support and the ease of use of their admin panel. However, I'm going to be branching out from just doing my PC repair stuff into doing some e-commerce... In…
Chris Sobolewski
  • 201
  • 3
  • 9
3
votes
1 answer

Cisco CVE-2014-0224 Vulnerability

We have a Cisco RV-042 Small Business router and our PCI scans flagged it as being vulnerable to CVE-2014-0224 (CCS Injection/Man-in-the-Middle). It appears to be another OpenSSL vulnerability. We have the latest firmware (Apr 2014) installed, but…
Sam
  • 423
  • 1
  • 7
  • 13
3
votes
1 answer

Upgrading OpenSSH on web server (Ubuntu) for PCI Compliance

I've been trying to upgrade OpenSSH for PCI compliance on our company's web server. I cannot for the life of me figure out how to do this though. I have attempted the following commands via SSH (coupled with their outputs): # ssh -V OpenSSH_5.3p1…
jperezov
  • 133
  • 1
  • 7
3
votes
1 answer

Ubuntu PCI-DSS Compliance Issue

I'm trying to get PCI compliant and the PCI scanning company is flagging our Ubuntu 12.04 PHP 5.3.10-1ubuntu3.9 for CVE-2013-1635. According to http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1635.html the Ubuntu response is "We do…
adear11
  • 133
  • 6
3
votes
1 answer

Are CVE-2010-4478 and CVE-2011-0539 fixed in OpenSSH 5.3?

I'm running OpenSSH 5.3p1-81.el6_3, which according to my server is the latest stable version. My PCI scan is showing CVE-2010-4478 and CVE-2011-0539 exploits as being present due to my OpenSSH version. Checking "rpm -q --changelog openssh" shows…
Citizen
  • 560
  • 6
  • 16
3
votes
1 answer

Blind SQL Injection PCI failure

I am working on a client's PCI compliance. One of the failing items is: 3.1.4. Blind SQL Injection (httpgenericscriptblindsqlinjection) The offered solutions is simply: "Ensure that the Web application validates and encodes user input before using…
Aegyptus
  • 47
  • 1
  • 5
3
votes
1 answer

HAProxy and Stunnel PCI Compliance

I am setting up HAProxy to load balance between two web servers. Some of the pages on the site require SSL. Stunnel is handling the https connections and passing them off to haproxy (Stunnel contains the cert). HAProxy will hand off requests to…
agabel
  • 33
  • 6
3
votes
1 answer

Staff using login details that do not belong to them, is it legal in a PCI compliant system?

I've got a current problem at work (i'm an IT manager) whereby users are logging into some of our systems using an account which is actually someone elses. We have to be PCI compliant (you should probably note this). Most of the internal systems…
Billy Howard
  • 31
  • 1
3
votes
3 answers

Apache mod_ssl configuration for PCI compliance

I need to ensure PCI compliance by limiting mod_ssl to SSLv3 and TLSv1, and ensuring long keys. I've tried the following configuration, but certain combinations of SSLv2 seems to still be valid: SSLCipherSuite…
Roy
  • 4,376
  • 4
  • 36
  • 53
3
votes
2 answers

How secure is Virtualmin?

How secure is Virtualmin? How does it compare to cPanel or other web hosting control panels? Will using Virtualmin prevent me from being PCI compliant?
Josh
  • 9,190
  • 28
  • 80
  • 128
3
votes
1 answer

What fields need to be included when configuring IIS web logging according to PCI compliance regulations?

From what little I know about PCI compliance I need to be logging all web site activity and keeping said logs online for at least 3 months. What I have not been able to get a straight answer on, however, is what fields or properties must be…
Saul Dolgin
  • 246
  • 3
  • 10
2
votes
5 answers

TLSv1 Not Turning Off in Apache

What is the best way to see where my SSLProtocols might be overridden on a CentOS 7 server? Apache 2.4.6 (realizing this is quite old as well so i'll have to update this off hours and see if it fixes the issue). I'm trying to disable TLSv1 using…
Aaron Chamberlain
  • 381
  • 1
  • 3
  • 13
2
votes
1 answer

Overwritten auditd rules in PCI DSS environement

I'm setting up a PCI DSS environment and I'm facing the next problem. When installing de OS (CentOS 7.3 Minimal) I've choosen the profile "PCI DSS". When I was checkin the rules applied on /etc/audit/audit.rules there was an enourmous number of…
Abel
  • 322
  • 3
  • 13
2
votes
1 answer

How can I disable SSLv3/TLSv1/TLSv1.1 on port 3389 only

I am trying to remediate SSL/TLS vulnerabilities discovered by our vulnerability scanner. All the methods I have seen so far involve SCHANNEL changes in the registry. The SCHANNEL registry changes are unfortunately system-wide changes and can not be…
John
  • 21
  • 1
  • 2
1 2 3
10 11