• Get SMTP Port 25 to be PCI compliant

    We're running a PCI compliance scan on our server and it keeps failing on port 25 with this message: SSL Server Supports Weak Encryption nCircle ID: 6174 Port: 25 CVSS Score: 5.8 Not Compliant Description The SSL (Secure Socket Layer) Server supports weak encryption keys, which are defined as...

    ITKE827,895 pointsBadges:
  • PCI scan failure for SSL certificate

    We did a PCI scan for one of our clients and it says they failed due to the SSL certificate, for SMTP Port 25, not matching the domain scanned. Here's what it said: Description: SSL Certificate with Wrong Hostname Synoposis: The SSL certificate for this service is for a different host. Impact: The...

    ITKE827,895 pointsBadges:
  • PCI compliance for Magento that’s running on CentOS

    Over the past few weeks, I've been trying to get PCI compliance through Trustwave's vulnerability scanner. We're using Magento that's running on CentOS. Here's the issue we have: The version of PHP running on this host is prone to a stack-based buffer overflow in the socket_connect function in...

    ITKE827,895 pointsBadges:
  • Cisco router vulnerability in PCI compliance scan

    I recently got a Cisco small business router and our PCI compliance scan flagged it as being vulnerable to a CCS injection/man-in-the-middle. From what I'm looking at, it looks like a OpenSSL vulnerability. I have the latest firmware installed but I can't wait around for Cisco to fix this. Should I...

    ITKE827,895 pointsBadges:
  • OpenSSH upgrade on web server for PCI compliance

    For the past few weeks, we've been trying to upgrade our OpenSSH for PCI compliance reasons on our organization's web server. However, we can't figure out how to do it. Here's what we tried so far: # sudo apt-get install openssh-server openssh-client Reading package lists... Done Building...

    ITKE827,895 pointsBadges:
  • Timeout SSH sessions after inactivity for PCI compliance

    For PCI DSS requirements, if a session is idle for more than 15 minutes, the user will have to re-authenticate to re-activate the terminal or session. So, because of this, we had to deal with SSH sessions that are idling at the bash prompt by enforcing a global $TMOUT of 900. But we realized that...

    ITKE827,895 pointsBadges:
  • CentOS server keeps failing PCI compliance scan

    Our CentOS server continues to fail the PCI compliance scan. Here's what keeps failing: openssl < 0.9.8.o. rpm -q openssl shows: openssl-0.9.8e-12.el5_5.7 Here's the Apache header banner: Server: Apache/1.3.41 (Unix) PHP/5.2.14 mod_psoft_traffic/0.2 mod_ssl/2.8.31 OpenSSL/0.9.8b mod_macro/1.1.2...

    ITKE827,895 pointsBadges:
  • PCI compliance assessment for CentOS

    My department is getting through a PCI compliance assessment of our server that's running CentOS. We're getting several issues but with fixes. Basically, most of them are to update the packages to the latest version. But we ran into a couple of issues along the way and our provider said even though...

    ITKE827,895 pointsBadges:
  • Is there a payment gateway that doesn’t require PCI compliance?

    Recently, I've been looking to use Authorize.NET (CIM and DPM solutions). However, we can't reference a CIM profile in the DPM. Basically, I need to become PCI compliant because this handles credit cards. Here's my question: Is there something similar to Authorize.NET that allows our site to never...

    ITKE827,895 pointsBadges:
  • Apache SSLCipherSuite continues to fail in PCI compliance scan

    We have a Fedora server that's running on Apache to pass a PCI DSS compliance scan by McAfee. Here's what we used for the default SSLCipherSuite and SSLProtocol. SSLProtocol ALL -SSLv2 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP So it failed because of weak ciphers. We changed it...

    ITKE827,895 pointsBadges:
  • PCI compliance: Disable AUTH on Port 25

    Due to PCI compliance, we have to disable plaintext authentication. We were able to do this through encapsulating communications between our mail server and clients with TLS on port 465. Here's where the problem is: Port 25 has to remain open / unencrypted for us to receive mail, but it shouldn't...

    ITKE827,895 pointsBadges:
  • Should I worry about my POS system terminal for PCI compliance?

    I've been getting into PCI DSS lately (because my organization asked me too). Our company accepts payments using a POS terminal that's connected to the Internet though the office LAN. Our terminal isn't integrated with any payment processing apps, just paper receipts. Should I worry about PCI...

    ITKE827,895 pointsBadges:
  • PCI DSS: Enforce password management for ASP.NET

    I've been working on our PCI DSS assessment. I already know that passwords must be changed every 90 days / different than previous passwords. But I'm not sure if this is for access to the server or to the app we provide to users on the server. If it's the second part, can we enforce this in ASP.NET...

    ITKE827,895 pointsBadges:
  • Desktop application in line with PCI compliance

    We currently have a payment processing client that's running on a desktop. Our operator enters the data and clicks a button (which the app sends the data to the payment gateway through a secure channel). Our app doesn't store sensitive data. It does encrypt and save a user's login information. Is...

    ITKE827,895 pointsBadges:
  • Is there a non-US PCI compliant service that stores credit card info?

    We're working on a website that would allow our users to pay with their credit cards. We're outside of the country so we can't use a normal merchant account (like Braintree). Does anyone happen to know of a credit card service that would allow us to store credit card info and access them through an...

    ITKE827,895 pointsBadges:
  • Storing a shipping address for PCI compliance

    From what I understand, storing a shipping address would be okay for PCI compliance right? Do configuration standards include requirements for a firewall at each Internet connection? Is there a process for approving and testing all external network connections? I'm leaning towards no but I need to...

    ITKE827,895 pointsBadges:
  • Upgrade PHP version in Magento for PCI compliance

    Over the past week, I've been trying to get PCI compliance for our dedicated server, which is a Red Hat Enterprise Linux (and that's running Magento). When we first installed it on the server, the RHEL version that comes with a PHP version which is too old for Magento. But our PCI compliance scan...

    ITKE827,895 pointsBadges:
  • Encrypt SQL Server 2008 database for PCI compliance

    I'm pretty new to PCI compliance and from what I understand I need to secure a person's credit card info, expiration date and the card holder's name. There's not going to be storage of security codes ever. So in my SQL Server 2008 database, I would need to encrypt these 3 columns? Also, do I need...

    ITKE827,895 pointsBadges:
  • How to use payment gateway integration to avoid PCI compliance

    My client has an e-commerce which accepts payments through a payment gateway integration that transfers the control to payment gateways. But it knows that it needs to be PCI compliant for accepting credit card information. Instead, could our client use stripe payment gateway / integration that it...

    ITKE827,895 pointsBadges:
  • Configure Apache settings for PCI compliance

    For the past few weeks, I've been trying to make my server PCI compliant. I need to remove the INode from an Apache ETag header. So I made this change: <Directory "/var/www/html"> Options FollowSymLinks AllowOverride None Order allow,deny Allow from all FileETag MTime Size But now I'm getting...

    ITKE827,895 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following