• How to secure CFID for PCI compliance

    For the past few weeks, our PCI scans keep failing because ColdFusion has predictable CFIDs. This is what we get as the failure: Predictable Cookie Session IDs. Our CFID is still predictable and unaffected by any changes in CF Admin. We don't understand why it's a threat but we have to fix it. What...

    ITKE1,050,695 pointsBadges:
  • Apache configuration to become PCI compliant

    For Apache, we need to make sure of PCI compliance by limiting mod_ssl to SSLv3 and TLSv1 (and also ensuring long keys). We've tried the below configuration but combos of the SSLv2 are still valid. SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM Is there a way completely disable the...

    ITKE1,050,695 pointsBadges:
  • Upgrade PHP and Apache versions for PCI compliance

    We're currently running Ubuntu for our LAMP environment. For the past week, we've been trying to become PCI compliant so we can pass CC information into our server. When doing the scans, we keep getting these errors regarding our PHP and Apache versions. The PHP version is about 10 versions less...

    ITKE1,050,695 pointsBadges:
  • PCI compliance for storing SSNs in a hosted database

    Do we have to be PCI compliant when it comes to storing SSNs in our hosted database? We're a nonprofit and it would be hosted in a CRM database. Thank you.

    ITKE1,050,695 pointsBadges:
  • Where to start for developing a payment gateway in PHP

    I'm trying to develop a payment gateway in PHP and I'm not sure where to start (when it comes to best practice for SSL and PCI DSS). Can anyone point me where to start my search? Books or blogs, perhaps?

    ITKE1,050,695 pointsBadges:
  • SSL/TLS cipher suites for PCI compliance

    I have a question when it comes to PCI DSS compliance and SSL/TLS cipher suites. What order / priority should I list the ciphers in? I already know which ones I need to use and disable, but my friend said there's a priority list too. This will be for Windows servers. Thank you.

    ITKE1,050,695 pointsBadges:
  • Would Rails 3.0 be PCI compliant?

    I apologize for the short question but would anyone happen to know if Rails 3.0 would pass a PCI compliance scan? Thanks!

    ITKE1,050,695 pointsBadges:
  • PCI compliance failure: Attempts some buffer overflows

    We were PCI compliant for several months straight and all of a sudden, we got this: Fail Serious Port: 21 Protocol: tcp Summary : attempts some buffer overflows CVSS Base Score : 10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C) CVSS Temporal Score : 8.3 (CVSS2#E:F/RL:OF/RC:C) Public Exploit Available : true...

    ITKE1,050,695 pointsBadges:
  • PCI compliance scan in IIS: Information disclosure vulnerability

    In our PCI compliance scan, we still have this vulnerability in our website: Synopsis : The remote web server is affected by an information disclosure vulnerability. Description : The remote host appears to be running a version of IIS which allows remote users to determine which authentication...

    ITKE1,050,695 pointsBadges:
  • Changes to the audit log for PCI compliance

    For PCI compliance reasons, we had to configure auditd. Because PCI states that existing logs can't get changed without an alert. So we tried doing this: -w /var/log/ -k Logs_Accessed -p rwxa But will the auditctl command work? Thank you for your help.

    ITKE1,050,695 pointsBadges:
  • Wireless analyzer that detects rogue AP’s on the LAN

    We need to fulfill a PCI compliance for our wireless analyzer that would detect the presence of rogue AP's on our internal LAN. What device would do this for us? This is for a Windows environment. Thanks!

    ITKE1,050,695 pointsBadges:
  • Does temporary storage of credit card info meet PCI DSS requirements?

    For our department, we need to make sure that our temporary storage of our user's credit card information meets PCI DSS requirements. We have to make sure that deletion is compliant DoD's security standards. We thought about using MySQL but we're not sure about the reliability. What should we do?

    ITKE1,050,695 pointsBadges:
  • Secure credit card information for PCI compliance

    Does anyone know if there's a company / software that offers to store data (particularly credit card information securely) in exchange for a token? Also, can we view the data by using authentication and providing a token back to them? That should be enough for PCI compliance, right? Thanks!

    ITKE1,050,695 pointsBadges:
  • How to purge database records for PCI compliance

    I have to store some credit card information. To be compliant with PCI DSS, we need to purge the data from our disks by not just deleting the file but writing over the bytes with a random sequence of data (because that would make it harder to recover the data). We would still like to leverage a...

    ITKE1,050,695 pointsBadges:
  • PCI compliance: Recommended encryption key management

    This question is in reference to PCI compliance. Does anyone know of any recommended encryption key management software? Would ezNCrypt be good to use? Thanks so much.

    ITKE1,050,695 pointsBadges:
  • Authenticate database for PCI compliance

    We have a PCI compliant website that connects to a database but doesn't store any users' info. However, it does contain HTML / JavaScript snippets that might get rendered into the payment process. Here's my question: Do we have to authenticate the database to remain PCI compliant? Thanks!

    ITKE1,050,695 pointsBadges:
  • PCI compliance: Password field is present

    We currently have a huge problem with our PCI compliance. According to them, they want us to add http:// on every single page where a password field is present. Here's what my form in index.php looks like: What should we do here?

    ITKE1,050,695 pointsBadges:
  • Remote SMTP server is vulnerable to a buffer overflow – Failed PCI compliance

    Hello everyone, My department tried allowing the scanners IP to be accepted through IPTABLES into our SMTP port, but the scan keeps failing. Here's what we're getting: The remote SMTP server is vulnerable to a buffer overflow The server isn't crashing. We white listed the IP but we're still getting...

    ITKE1,050,695 pointsBadges:
  • What’s the best PCI compliant host?

    Currently, I'm using 1and1 hosting and I've been pretty impressed with the level of support so far (it's easy to use their admin panel). But now, I'm moving into e-commerce. But in order to process any credit cards, using PayPal, we need to be PCI compliant host. What would be the best option for...

    ITKE1,050,695 pointsBadges:
  • PCI compliance fail: SSL certificate cannot be trusted

    Our server is a CentOS box with a LAMP stack running. But we just had a PCI scan list this as a fail: SSL Certificate Cannot Be Trusted https (443/tcp) Severity: Medium Notes: none But we actually don't have a SSL certificate (we don't attempt to use it either). Should we just close port 443....

    ITKE1,050,695 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following