Re: PCI compliance

To: debian-user@lists.debian.org
Subject: Re: PCI compliance
From: Scott Ferguson <scott.ferguson.debian.user@gmail.com>
Date: Sat, 11 Jan 2014 10:45:17 +1100
Message-id: <[🔎] 52D0860D.1030904@gmail.com>
In-reply-to: <[🔎] 20140110164606.GB19407@angelina.example.com>
References: <[🔎] 20140110164606.GB19407@angelina.example.com>

On 11/01/14 03:46, Veljko wrote:
> Hello,
> 
> Does anyone here operates servers that have to meet PCI standards?

Level 4s (isolated payment solutions)

This is possibly not the best list to ask on....

> Do you have
> any problems with Debian?

No.

> I know that Moneris Solutions and Trustkeeper are
> scanning for version numbers so if you're running some old Apache version for
> example, you need to track down every vulnerability (CVE) and to prove that
> particular CentOS/RedHat version is patched.

That's what the ASV is supposed to do, if you do the SAQ first (as
PCISSC requires) the scan shouldn't result in surprises.

I have no experience with either of those companies. I don't run
out-of-date un-patched software.Either Debian stable or, mostly,
old-stable (Squeeze).

I have little recent experience with CentOS/RedHat so I can't speculate
on parallels.

> 
> What is your experience with this?

That's a *very* broad subject.

Speak to the bank before choosing your ASV and payment solution.

Start with client and company data, then the network and OS (plural),
after that the firewall. You'll find that apache is the very last thing
you need to worry about.

Anything above a 4 and you should consider using specialists or
outsourcing components (firewall, backups, and *especially*, mail) -
look at Debian.org consultants list. Try CERT people if you can't find
an experienced debian consultant. Compliance can be costly and time
consuming so if you only want a Level 4 using a provider instead might
be worthwhile unless you control (or outsource) *every* part of the
chain *and* the client/business makes it profitable.

Subscribe to the security-announce mailing list:-
http://lists.debian.org/debian-security-announce/

There's also a feed:-
http://www.debian.org/security/dsa

(DSA==Debian Security Announcement, compatible with CVEs.)

Product and advice liability insurance is a good idea if you're
supplying the service to a client.

If you don't control the whole data chain and the client thinks a CRM is
the end-all-and-be-all.... run like hell. Assessment tends to rank
external access as the greatest risk, in reality it's generally internal.

> 
> Regards,
> Veljko
> 
> 

Kind regards and good luck

Reply to:

Follow-Ups:
- Re: PCI compliance
  - From: Veljko <veljko3@gmail.com>

References:
- PCI compliance
  - From: Veljko <veljko3@gmail.com>

Prev by Date: Re: debian-live-7.2 doesn´t start
Next by Date: permissions: can you force ACL to be effective over unix perms?
Previous by thread: PCI compliance
Next by thread: Re: PCI compliance
Index(es):
- Date
- Thread