Re: PCI compliance
On 2014-Jan-11 10:45, Scott Ferguson wrote:
> On 11/01/14 03:46, Veljko wrote:
> > Hello,
> >
> > Does anyone here operates servers that have to meet PCI standards?
>
>
> Level 4s (isolated payment solutions)
>
> This is possibly not the best list to ask on....
>
> > Do you have
> > any problems with Debian?
>
> No.
>
> > I know that Moneris Solutions and Trustkeeper are
> > scanning for version numbers so if you're running some old Apache version for
> > example, you need to track down every vulnerability (CVE) and to prove that
> > particular CentOS/RedHat version is patched.
>
> That's what the ASV is supposed to do, if you do the SAQ first (as
> PCISSC requires) the scan shouldn't result in surprises.
>
> I have no experience with either of those companies. I don't run
> out-of-date un-patched software.Either Debian stable or, mostly,
> old-stable (Squeeze).
I also don't run out-of-date software. I was just curious if you had problems
because you run old, but patched version, not the latest one. That answered to
my question.
> I have little recent experience with CentOS/RedHat so I can't speculate
> on parallels.
Well, it's the same, I guess. They too use old stable software patched to
answer to new vulnerabilities.
> > What is your experience with this?
>
>
> That's a *very* broad subject.
>
> Speak to the bank before choosing your ASV and payment solution.
>
> Start with client and company data, then the network and OS (plural),
> after that the firewall. You'll find that apache is the very last thing
> you need to worry about.
I maintained for a while some website that accepted payments. There I had some
problems with older versions of Apache, PHP and openssl. Network scanning
company soon accepted my appeals but the fact that I had to track down all
those CVEs proves that there was something wrong with their process. But, to
be honest, I didn't filled SAQ, it was done before I took maintenance, so
that could be the source of the problem.
> Anything above a 4 and you should consider using specialists or
> outsourcing components (firewall, backups, and *especially*, mail) -
> look at Debian.org consultants list. Try CERT people if you can't find
> an experienced debian consultant. Compliance can be costly and time
> consuming so if you only want a Level 4 using a provider instead might
> be worthwhile unless you control (or outsource) *every* part of the
> chain *and* the client/business makes it profitable.
>
> Subscribe to the security-announce mailing list:-
> http://lists.debian.org/debian-security-announce/
>
> There's also a feed:-
> http://www.debian.org/security/dsa
>
> (DSA==Debian Security Announcement, compatible with CVEs.)
>
> Product and advice liability insurance is a good idea if you're
> supplying the service to a client.
>
> If you don't control the whole data chain and the client thinks a CRM is
> the end-all-and-be-all.... run like hell. Assessment tends to rank
> external access as the greatest risk, in reality it's generally internal.
>
> Kind regards and good luck
Thanks very much for your thoughts and advices, much appreciated.
Regards,
Veljko
Reply to: