Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [pci-dss]

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide security standard that was formed with the support of credit card companies to align their security standards.

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide security standard that was formed with the support of credit card companies to align their security standards.

155 questions
2
votes
2 answers

IIS 10 how do I remove internal IP address from response headers

IIS 10 on Windows Server 2016. All current patches are installed. A recent PCI scan claims that the internal IP address of the server is being leaked in HTTP headers. Unfortunately, this scanning company does not give you any details as to how they…
CB_Ron
  • 338
  • 2
  • 10
1
vote
2 answers

What is the best solution for PCI-DSS compliance?

I'm comparing different solutions for PCI-DSS compliance, reading a lot of white papers and brochures regarding RSA enVision, Splunk, LogRhythm, SenSage, ArcSight and OSSEC. Unfortunately, comparison have been difficult because the lack of details…
TH.
  • 205
  • 1
  • 10
1
vote
1 answer

Ossim setup in AWS

I have setup OSSIM in my virtual box and its working fine. I tried to setup OSSIM in AWS cloud, but Alienvault stopped AMI for new customers. How you are doing this for PCI-DSS as we are SME prefer to go with opensource for log and file integrity…
Thinakaran Chelliah
  • 11
  • 4
1
vote
0 answers

PCI Scan failed with SSL certificate with wrong name

I've an IIS server which is hosted around 250 + sites. I am running a PCI scan against one website and its failing with these 2 errors: Common name of SSL certificate presented on this server is for a different name Title: SSL certificate with wrong…
Vysakh
  • 13
  • 4
1
vote
0 answers

How do I solve cve-2015-3183 without updating Apache

During the latest app scan in my project, CVE-2015-3183 has popped up. I have looked everywhere on the net for solution. Solution is simple: update your Apache. The problem is we cannot update our Apache for next 3 to 4 months as it requires lots…
sanjeevnjha
  • 11
  • 1
1
vote
1 answer

(PCI-DSS, APF) Firewall UDP Packet Source Port 53 Ruleset Bypass?

I am handling vulnerabilities reported by a PCI-DSS scanner, and one of them is new to me: Title Firewall UDP Packet Source Port 53 Ruleset Bypass Synopsis: Firewall rulesets can be bypassed. Impact: It is possible to bypass the rules of the…
jimp
  • 638
  • 3
  • 11
  • 20
1
vote
1 answer

inactive option not working for pam_lastlog.so

I'm trying to set up my system to lock out inactive users after 10 days. I'm using CentOS 6.x, and looking at RHEL manual, this is what I found: To lock out an account after 10 days of inactivity, add, as root, the following line to the auth section…
Jakov Sosic
  • 5,267
  • 4
  • 24
  • 35
1
vote
2 answers

How do you configure postfix to only try unencrypted email with a fix list of IP address/domains?

A PCI scan told me to stop using TLS 1.0 for e-mail. I'm using postfix, so I disabled TLS 1.0, and all traffic for 1.0 stopped. Then the next day I looked at the logs and I see a lot of this... connect from…
Sam Sanders
  • 173
  • 4
  • 6
  • 18
1
vote
1 answer

Apple Mail , Kerio connect and TLSv1 disabled

Due to PCI-DSS now requiring that TLSv1 is disabled to pass our network scan I have the following issue. Using Kerio Connect mail server (www.kerio.co.uk) Apple Mail (yosemite and all the way down to snow leopard) iOS 8 devices If I disable…
Alex Hellier
  • 131
  • 5
1
vote
1 answer

Windows Server 2012 R2 IIS Weak Ciphers Reported After Lockdown

I am having issues getting a windows server 2012 R2 64-bit box locked down. I used a tool called IISCrypto to make the box FIPS 140 compliant. I have manually checked the registry entries and all the weak ciphers look disabled but Retina Network…
cjm4189
  • 13
  • 1
  • 1
  • 3
1
vote
0 answers

Tracking user activity in openvz container?

I have been trying to figure out a way to track user activity in an openvz container for a long time now (auditd like in KVM's). This is a PCI-DSS requirement. I can't seem to find any good alternatives. I was hoping someone out there was using…
Ryan Bick
  • 11
  • 2
1
vote
1 answer

Validating SSL/TLS renegotiation flaw

Our vulnerability scanner (Saint-based) is claiming that a large number of devices and servers are susceptible to the SSL/TLS renegotiation flaw (CVE-2009-3555). Most of these servers and devices are fairly up-to-date on patches / firmware. Since…
Jim Balo
  • 270
  • 2
  • 4
  • 13
1
vote
0 answers

Separating Secure Network and DMZ (nonsecure) in a PCI Compliant Infrastructure

We are setting up a PCI Compliant infrastructure where most of our applications are running in a DMZ (demilitarised zone) that contain no sensitive information. The part that contains sensitive information is secured in a private subnet. We have two…
darksky
  • 135
  • 5
1
vote
2 answers

Quarterly external vulnerability scans, IPs to include

I have questions regarding the PCI DSS requirements for quarterly external vulnerability scans by an ASV, specifically what public IPs I need to include in these scans. The organization is a retail chain store (the questions pertain to the…
Zek
  • 568
  • 3
  • 10
  • 24
1
vote
2 answers

trustwave pci scan: dns amplification denial of service, Bind 9.8.1-P1, doesn't seem like it

In our last TW PCI scan, one of our flags was "DNS Amplification Denial of Service". Right now, the DNS server is running Bind 9.8.1-P1. It seems like the CVEs are for a much older version: CVE-2006-0988, CVE-2006-0987. Given as evidence…
user145837
  • 371
  • 5
  • 18
1 2 3
10 11