Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [pci-dss]

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide security standard that was formed with the support of credit card companies to align their security standards.

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide security standard that was formed with the support of credit card companies to align their security standards.

155 questions
2448
votes
31 answers

Our security auditor is an idiot. How do I give him the information he wants?

A security auditor for our servers has demanded the following within two weeks: A list of current usernames and plain-text passwords for all user accounts on all servers A list of all password changes for the past six months, again in plain-text A…
Smudge
  • 24,039
  • 15
  • 57
  • 76
54
votes
8 answers

How can I disable TLS 1.0 and 1.1 in apache?

Does anyone know why i can't disable tls 1.0 and tls1.1 by updating the config to this. SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 After doing this, i reload apache I do an ssl scan using ssllabs or comodo ssl tool, and it still says tls 1.1…
David
  • 653
  • 2
  • 6
  • 8
53
votes
9 answers

How do I disable TLS 1.0 without breaking RDP?

Our credit card processor recently notified us that as of June 30, 2016 we will need to disable TLS 1.0 to remain PCI compliant. I tried to be proactive by disabling TLS 1.0 on our Windows Server 2008 R2 machine, only to find that immediately after…
Mike
  • 1,261
  • 5
  • 18
  • 31
42
votes
10 answers

Run antivirus software on linux DNS servers. Does it make sense?

During a recent audit we were requested to install antivirus software on our DNS servers that are running linux (bind9). The servers were not compromised during the penetration testing but this was one of the recommendations given. Usually linux…
John Dimitriou
  • 523
  • 4
  • 5
29
votes
3 answers

Disable TLS 1.0 in NGINX

I have a NGINX acting as a reverse proxy for our sites and is working very well. For the sites that need ssl I followed raymii.org to make sure to have as strong of a SSLLabs score as possible. One of the sites needs to be PCI DSS compliant but…
Shawn C.
  • 393
  • 1
  • 4
  • 7
14
votes
1 answer

Domain Administrators account policy (After PCI audit)

One of our clients is a Tier 1 PCI company, and their auditors have made a suggestion with regards to us as System Administrators and our access rights. We administer their entirely Windows based infrastructure of roughly 700 Desktops/80 servers/10…
Patrick
  • 1,250
  • 1
  • 15
  • 35
12
votes
2 answers

How to Isolate PCI Compliance

We currently process, but do not store, credit card data. We authorize the cards via a self developed application using the authorize.net API. If possible, we would like to limit all requirements of PCI that effect our servers (such as installing…
Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444
9
votes
5 answers

How to check that a known Windows Vulnerability has been patched?

Is there a way in Windows to check that say Security Bulletin MS**-*** or CVE-****-***** has been patched? e.g. something akin to RedHat's rpm -q --changelog service Windows 2008 R2 SP1
frogstarr78
  • 475
  • 7
  • 17
9
votes
1 answer

Has anyone achieved Level 1 PCI compliance on AWS?

All the FAQs, documents and statements published by AWS aside, did any Level 1 merchant actually achieve PCI compliance on AWS yet? We're evaluating moving some of our services to EC2/VPC, but our auditor is saying that AWS hadn't been cooperative…
Boris Slobodin
  • 191
  • 1
8
votes
4 answers

How to Disable SSLv2 for Apache httpd

I just tested my site on https://www.ssllabs.com/ and it said SSLv2 is insecure and I should disable that along with weak Cipher Suites. How can I disable that? I tried the following but it isn’t working. Went to /etc/httpd/conf.d/ssl.conf by ftp.…
Yahoo
  • 141
  • 1
  • 1
  • 6
8
votes
4 answers

Does the use of a POS terminal mean I need PCI DSS compliance?

I've read a lot about PCI DSS and its requirements, but I'm unclear on what exactly determines whether an organization needs to worry about PCI DSS compliance. We accept payments using a basic HiSpeed 6200 POS terminal which is connected to the…
Nic
  • 13,025
  • 16
  • 59
  • 102
8
votes
5 answers

Do we have to be PCI compliant to store Social Security Numbers in our hosted database?

Do we have to be PCI compliant to store Social Security Numbers in our hosted database? We are hosting a CRM database for nonprofits in South Carolina.
Jamey McElveen
  • 183
  • 1
  • 1
  • 7
7
votes
1 answer

PCI-DSS: Virtualization segmentation in ESXi environment

I have already asked this question over on Information Security but so far it has not garnered any comments. I am thinking perhaps it is more of a server infrastructure and configuration question, rather than a security question per se. Therefore I…
chazjn
  • 215
  • 1
  • 6
7
votes
1 answer

PSTools psexec and PCI

I am just wondering if anyone knows of any reason why using psexec would cause the failure of a PCI DSS audit. I have never been able to find information, though have always been told that it can't be used by administrators on anything in the CDE,…
89okl
  • 73
  • 2
7
votes
4 answers

Disable SMTP AUTH on Port 25

Due to PCI-DSS, we are required to disable plaintext authentication. We've achieved this by encapsulating communications between our mail server and clients with TLS on port 465. The problem lies in that port 25 must remain open and unencrypted for…
mossymaker
  • 103
  • 1
  • 2
  • 6
1
2 3
10 11