Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [pci-dss]

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide security standard that was formed with the support of credit card companies to align their security standards.

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide security standard that was formed with the support of credit card companies to align their security standards.

155 questions
2
votes
0 answers

Docker / LXC and PCI-DSS Compliance

We are in payment space and we have built out a lot of our processes in Docker for development environment purposes. Now, we are thinking about converting our production environment which is in Xen (HVM) farm into Docker/LXC environment to keep both…
Jae Lee
  • 141
  • 1
  • 4
2
votes
1 answer

SSL config for web server compatible with PCI-DSS requirements about disabling CBC and TLSv1.0

I'm looking for web server (nginx) configuration that support current (Nov 2015) PCI-DSS requrements about SSL: No TLSv1.0 (only TLSv1.1 and TLSv1.2, and TLSv1.3 in the future). No weak ssl ciphers, it means no CBC (Cipher Block Chaining), no DES,…
Jack
  • 156
  • 1
  • 5
2
votes
1 answer

Audit trail for all actions taken with admin privileges

PCI DSS 10.2 says, "Implement automated audit trails for all system components to reconstruct the following events:" and 10.2.2 continues, "All actions taken by any individual with root or administrative privileges." I am struggling to make this…
Zek
  • 568
  • 3
  • 10
  • 24
2
votes
2 answers

How do I get a friendly error page to replace the asp.net error page for url "WEB-INF./web.xml"?

This url is part of a pci compliance scan and it is flagging the very sparse asp.net error page returned, which on the live site is a 500 status code and the text Server Error in '/' Application. Runtime Error Description: An exception occurred…
quentin-starin
  • 141
  • 1
  • 8
2
votes
1 answer

Disabling SSL Renegotiation

We need to stop using (insecure) SSL renegotiation for a series of e-commerce sites we provide due to PCI regulations. Does anyone know of the implications of doing so assuming that we don't enable secure renegotiation? Would SSL just re-establish a…
mbuk2k
  • 139
  • 1
  • 2
  • 9
2
votes
3 answers

Disable all but RC4 in apache

Our PCI compliance vendor requires that we disable all but RC4 encryption on our web server. Currently our apache config file looks like this: SSLHonorCipherOrder On SSLCipherSuite…
Daniel
  • 251
  • 4
  • 12
2
votes
2 answers

Auditing changes to the audit log

I have configured auditd for PCI compliance reasons PCI states that existing logs cannot be changed without generating an alert This article http://ptresearch.blogspot.com/2010/11/requirement-10-track-and-monitor-all.html recommends doing this: -w…
user185704
  • 55
  • 7
2
votes
1 answer

Filter incoming traffic to UDP port for pci compliance

It had been recommended for PCI compliance that I filter incoming traffic to UDP port 5353 please can someone advise what are the steps to do this? I am currently using Centos 5.7 64 bit.
Dino
  • 47
  • 1
  • 3
  • 5
2
votes
1 answer

Need guidance on network design in multi-building campus

How can we create a secured, segmented network among multiple buildings when all the data has to go through a single cable? Background: I work for a non-profit organization that has 5 buildings on one campus. We do not have an IT department. Due to…
Paul S.
  • 153
  • 9
2
votes
3 answers

Magento CE PCI Compliance

We are currently trying to achieve PCI compliance using Trustwave's vulnerability scanner. The Magento version is 1.5.1.0, running on CentOS 5. We am down to the last issue according to the PCI Compliance report. We have disputed the issue but they…
dannymcc
  • 2,717
  • 10
  • 48
  • 72
2
votes
1 answer

Will disabling SSL 2.0 automagically make it use SSL 3.0 in IIS7?

I am running a Windows 2008 server with IIS7. I need to use SSL 3.0 for PCI compliance but whenever I read up on using it, all the articles explain to disable SSL 2.0. If I do this, will IIS automatically use SSL 3.0 from that point on? In the…
webnoob
  • 465
  • 2
  • 16
  • 35
2
votes
2 answers

PCI Compliance for average e-commerce website in the cloud

I am creating an "average" e-commerce website (using drupal and ubercart if that matters). I've read about pci compliance in the past, and that's why I'm wondering how I can see what applies to my situation. I'll probably be going with "rackspace…
Matthew
  • 1,859
  • 4
  • 22
  • 32
2
votes
5 answers

Failed PCI Compliance - The remote SMTP server is vulnerable to a buffer overflow

Hey guys, I have tried allowing the scanners IP to be accepted through IPTABLES into the SMTP port, but the scan still fails. This is the error: The remote SMTP server is vulnerable to a buffer overflow. The SMTP server doesn't even crash. I have…
Darren
  • 85
  • 1
  • 8
2
votes
1 answer

Things IT needs to do for compliance in a private company?

My company is a private, family owned business. The company is head quartered in USA and also runs businesses in several countries including Mexico, UK, Canada, Carribean islands and few other countries in S.America. Me and my boss had a discussion…
Santosh Chandavaram
  • 245
  • 1
  • 2
  • 10
2
votes
1 answer

How do I get SMTP Port 25 to be PCI Compliant on OS X 10.6 Server?

When running PCI security scans on this server it fails on port 25 with: SSL Server Supports Weak Encryption nCircle ID: 6174 Port: 25 CVSS Score: 5.8 Not Compliant Description The SSL (Secure Socket Layer) Server supports weak encryption…
user32738
1 2 3
10 11