Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [pci-dss]

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide security standard that was formed with the support of credit card companies to align their security standards.

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide security standard that was formed with the support of credit card companies to align their security standards.

155 questions
1
vote
1 answer

Bastion host for PCI compliance

A client in the retail industry has a network with point-of-sale (POS) terminals that connect to a POS Server. Additionally, most of the Windows workstations in non-sales areas also connect to the same server. This is because the POS software is…
Zek
  • 568
  • 3
  • 10
  • 24
1
vote
1 answer

Remotely Detect Windows Server Service Pack Level

One of our web servers just failed PCI-DSS compliance because the vulnerability scan detected the OS was Windows Server 2003 Service Pack 1 (obviously very outdated!). My question is how did the vuln scan detect this as I can't seem to find a way…
SnakeDoc
  • 570
  • 7
  • 24
1
vote
1 answer

PCI scan failure for SSL Certificate with Wrong Hostname?

A client had a PCI scan completed by SecurityMetrics, and it now says they failed due to the SSL certificate for the SMTP port 25 (and POP3s/IMAPS) not matching the domain scanned. Specifically: Description: SSL Certificate with Wrong Hostname…
Rob Mangiafico
  • 151
  • 1
  • 1
  • 6
1
vote
1 answer

Why would a PCI scan fail because of components that are not even installed?

Recently a PCI scan was run against a web server and the result was a failure. Some of the issues could be fixed, however others simply make no sense to me. The machine was a clean install, there are only two things running, the .NET 3.5 website and…
Brandon
  • 451
  • 7
  • 22
1
vote
1 answer

Fix CVE-2009-0796 Ubuntu Hardy

I have a server running Ubuntu 8.04 which is currently PCI-DSS compliant. The latest security scan has brought up issue CVE-2009-0796 This requires installing a version of libapache2-mod-perl2 (2.0.4-6ubuntu1) that is not available in the ubuntu…
Mark Walker
  • 11
  • 1
1
vote
1 answer

Way to speed up load-balanced ssl using nginx?

So the setup for our website is 4 nodes running rails 3 and nginx 1 that all use the same GoDaddy certificate. Because we are a paid site, we have to maintain PCI-DSS compliance and thus have to use the more expensive SSL ciphers -- also we force…
paulnsorensen
  • 135
  • 4
1
vote
1 answer

Failed PCI compliance - 403 (Forbidden)

Due to a recent upgrade in the scanning done by our PCI compliance testers, we recently failed a PCI, and the suggested solution is as follows: Configure the HTTP server to specify the same error documents for both 403 (Forbidden) and 404 (Page…
JonoB
  • 273
  • 1
  • 3
  • 9
1
vote
2 answers

How do I get an OS X 10.5 box PCI compliant when the OS X 10.5.7 PHP and Kerberos versions are considered 'Vulnerabilities'

I have just upgraded a server to the latest OS X version 10.5.7 and my compliance scan tells me that these OS-installed components are causing vulnerabilities. I can't see where I can download higher versions or even if they exist! Kerberos 5 is…
Neil Enock
1
vote
1 answer

Force screensaver lockout for multiple users on one Windows 7 PC

We have a single PC that requires the following accounts: 2x Admin accounts for each named responsible administrator (That's me and my boss). The accounts have to be associated with our names for security logging as per the company policy. Nx User…
One Monkey
  • 179
  • 1
  • 11
1
vote
1 answer

Failed PCI Compliance - Port: 21 Protocol: tcp | Summary : attempts some buffer overflows

We have had PCI compliance for about 4 months straight then all of a sudden this comes up: Fail Serious Port: 21 Protocol: tcp Summary : attempts some buffer overflows CVSS Base Score : 10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C) CVSS Temporal Score :…
Darren
  • 997
  • 2
  • 8
  • 15
1
vote
2 answers

Designing a Security Policy - Need Examples

We're creating a Security Policy for our company. I'm looking for examples I can use as a boiler plate for ours. Thanks
I.T. Support
  • 601
  • 2
  • 11
  • 27
1
vote
1 answer

IIS 6.0 PCI Compliance - "Information Disclosure Vulnerability"

We're trying to pass PCI compliance on a few of our websites. After an outside scan, we still have this vulnerability: Synopsis : The remote web server is affected by an information disclosure vulnerability. Description : The remote host appears to…
I.T. Support
  • 601
  • 2
  • 11
  • 27
1
vote
1 answer

web server leaks a private IP address through its HTTP headers. how to fix?

I've already located this question on server fault: Server Fault Question But there is no answer. Does anyone have any advice on how to fix the issue? We're running 2003 Server R2 Ent, latest service pack is applied, IIS 6.0 Here's what the…
I.T. Support
  • 601
  • 2
  • 11
  • 27
1
vote
2 answers

PCI-DSS check failing on 'IP Address in HTTP Headers' in IIS 7.0?

My client is having their website validated in order to accept card payments on the site, and one of the failures is that we are leaking the internal IP address, yet we are using IIS 7.0 which I thought didn't do that. I've checked the headers…
Mantorok
  • 143
  • 4
1
vote
2 answers

Anyone know where I can download a copy of Sun Java System Active Server Pages 4.0.3 for Solaris

I've contacted Sun regarding this and they have told me that the download is no longer available as Active Server Pages 4.0.3 is now End Of Life. We need to upgrade our server to 4.0.3 to acheive PCI-DSS compliance. Anyone know of a site where I can…
ewengcameron
  • 143
  • 2
  • 7
1 2 3
10 11