3

Does anybody know if Apache Tomcat (latest version) is PCI compliant? If so (or if not) could you –please- provide me with some links to support the affirmation/negation?

Thanks in advance

Alex K.
  • 171,639
  • 30
  • 264
  • 288
Wilmer
  • 1,025
  • 5
  • 9
  • i think this is very guide for making tomcat compliant https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_Benchmark_v1.0.0.pdf – Nick Van Rompuy Mar 14 '14 at 14:33

2 Answers2

1

Tomcat enters the PCI question with respect to vulnerabilities present in a particular version, and where credit card PANs are stored somewhere (whether or not encrypted, this makes no difference) behind a Tomcat-driven interface. If you are using Tomcat to serve up web pages, jsps or anything else similar across a network, then you are potentially in scope for PCI-DSS.

If you look at the Tomcat website, it will tell you the status of at least versions 6 and 7 with respect to identified vulnerabilities.

Last I heard, for version 6, you needed at least 6.0.35 for compliance. I am not sure which build of version 7 is needed.

Grant
  • 11
  • 2
0

Ummm, it would be whatever you make of it... If you use it to store credit cards in plain text, then it wouldn't. Don't handle credit cards at all and it would be fine. Why do you ask, what's the real question?

Brian Knoblauch
  • 20,639
  • 15
  • 57
  • 92
  • Well, The company I used to work for passed a PCI certification but they had IBM Websphere so, I don't know if it's ok (according to PCI) to use an Open Source Application Server – Wilmer Mar 02 '12 at 19:47
  • 1
    They had Websphere what? Payment Manager I guess? I think that solutions/infrastructure can be PCI compliant, not just some piece of software – Oleg Mikheev Mar 02 '12 at 19:55