Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [pci-dss]

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide security standard that was formed with the support of credit card companies to align their security standards.

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide security standard that was formed with the support of credit card companies to align their security standards.

155 questions
0
votes
2 answers

Mod-Pagespeed dropping headers

I'm using 1.6.29.7-3343 for css and images with Apache 2.2.15 (Unix) on RHEL 6. My pagespeed.conf config is here: https://gist.github.com/jhirbour/a66b0efe58c8d109b90e As part of our PCI our compliance company says we're supposed to add the…
Johnny Octothorpe
  • 119
  • 1
0
votes
1 answer

Computers in-scope for PCI DSS

I am trying to determine what servers & workstations, etc. that are in-scope for PCI compliance. PCI DSS SAQ-D states that any devices that "store, process or transmit cardholder data" are in scope. So how about computers used by an accounting…
Jim Balo
  • 270
  • 2
  • 4
  • 13
0
votes
3 answers

Track any file changes using auditd

I try configure PCI REQ 10.5.5 "Use file integrity monitoring or change detection software on logs" Use auditd for this, rule "auditctl -w /tmp/testfile -p war" works perfectly. But if I try to use stdout redirect on file like "echo "hi" >>…
Asazio
  • 1
  • 1
  • 1
0
votes
1 answer

Untrusted SSL certificates on CentOS VPS

I'm currently in the process of becoming PCI compliant and I have 6 warnings remaining. The one I'm particularly struggling with is "SSL Certificate Cannot Be Trusted IMAP (143/TCP)". I'm using Postfix/Courier-Imap on CentOS 6.5 and I have an SSL…
Sean King
  • 3
  • 3
0
votes
1 answer

PCI compliance and SSL certificates on a CentOS VPS

looking for a bit of advice please. We've been battling with a PCI compliancy project for the last couple of days and we've managed to eliminate most of security warnings. What we're left with now is mainly untrusted SSL certificates on pop3, smtp…
Sean King
  • 3
  • 3
0
votes
1 answer

PHP and PCI Compliance

I have a web server that needs to pass a PCI compiance scan by ControlScan. Everything is good except for a scan they did of the PHP version. I believe I have the latest version that CentOS provides. Here's what they had to say: THREAT…
BlkStormy
  • 1
  • 3
0
votes
2 answers

Ubuntu CVE-2013-1635 PCI DSS

I'm trying to get PCI compliant and the PCI scanning company is flagging our Ubuntu 12.04.3 (PHP 5.3.10-1ubuntu3.8) for CVE-2013-1635 [1] which says "we do not support the use of open_basedir". What exactly is meant by that? I still see references…
JSP
  • 533
  • 1
  • 4
  • 6
0
votes
1 answer

Remote MySQL PCI Compliance

Using Stripe to process credit card payments and storing client payments and information in a mysql database. Only storing the id of the transaction, and the client ID. Stripe takes on a majoring of the PCI compliance issues. Currently we are…
Travis Stoll
  • 341
  • 2
  • 12
0
votes
1 answer

Are using ssh keys PCI compliant?

From PCI-DSS point of view, are using SSH keys for passwordless authentication secure enough? TIA, Vitaly
Vitaly Karasik DevOps
  • 469
  • 2
  • 4
  • 20
0
votes
2 answers

How to determine SSL Cipher strength

I have updated my ssl.conf file on my Apache2 configuration to use the following SSLCipherSuite SSLProtocol all -SSLv2 SSLCipherSuite HIGH:MEDIUM:!ADH However the PCI scan seems to detect that WEAK and MEDIUM ciphers are still enabled. However, I…
Alex
  • 209
  • 5
  • 12
0
votes
1 answer

PCI Compliance Network Scan Issue - HTTP response code was an expected 401

We take Credit card over internet connected comupter, and we have to pass PCI compliance network scan. When I run network scan , I have the following error. How can i fix this error. Any help appreciated. Running vulnerable HTTP service. HTTP…
YDSWorld
  • 1
0
votes
2 answers

IIS log management

Is it possible to prevent IIS to log specified type of data(i.e credit card data)? I mean can I say to IIS; -If a credit card number is searched, do not log this, or do not log all credit card number(mask it). or is it possible to encrypt iis…
Barny
  • 133
  • 1
  • 1
  • 5
0
votes
1 answer

PCI Compliance Apache Shiro fail

On a CentOS LAMP box, a PCI compliance scan is failing on: Apache Shiro URI Path Security Traversal Information Disclosure http/80 As far as I can tell the server doesn't have Shiro installed, unless it's built in to Apache. I can't find any trace…
ServerBloke
  • 402
  • 1
  • 10
  • 20
0
votes
1 answer

PCI Compliance SSL Certificate Cannot Be Trusted fail

The server is a CentOS box with the default LAMP stack running. A PCI scan lists this as a fail: SSL Certificate Cannot Be Trusted https (443/tcp) Severity: Medium Notes: none We don't actually have an SSL cert, nor do we attempt to use SSL on…
ServerBloke
  • 402
  • 1
  • 10
  • 20
0
votes
3 answers

PCI Scan failed on a VPS

I'm new to PCI, we just paid for the Trustkeeper PCI Scan and here are some of the results (just the vulnerability names): DB Accesibility SSLv2 Supported A lot of BIND (patches) related vulnerabilities A lot of OpenSSL (patches) related…
Shaz
  • 135
  • 1
  • 6
1 2 3
10 11