Re: PCI compliance

To: debian-user@lists.debian.org
Subject: Re: PCI compliance
From: Veljko <veljko3@gmail.com>
Date: Sun, 12 Jan 2014 10:00:12 +0100
Message-id: <[🔎] 20140112090012.GA5801@angelina.example.com>
In-reply-to: <[🔎] 52D0860D.1030904@gmail.com>
References: <[🔎] 20140110164606.GB19407@angelina.example.com> <[🔎] 52D0860D.1030904@gmail.com>

On 2014-Jan-11 10:45, Scott Ferguson wrote:
> On 11/01/14 03:46, Veljko wrote:
> > Hello,
> > 
> > Does anyone here operates servers that have to meet PCI standards?
> 
> 
> Level 4s (isolated payment solutions)
> 
> This is possibly not the best list to ask on....
> 
> > Do you have
> > any problems with Debian?
> 
> No.
> 
> > I know that Moneris Solutions and Trustkeeper are
> > scanning for version numbers so if you're running some old Apache version for
> > example, you need to track down every vulnerability (CVE) and to prove that
> > particular CentOS/RedHat version is patched.
> 
> That's what the ASV is supposed to do, if you do the SAQ first (as
> PCISSC requires) the scan shouldn't result in surprises.
> 
> I have no experience with either of those companies. I don't run
> out-of-date un-patched software.Either Debian stable or, mostly,
> old-stable (Squeeze).

I also don't run out-of-date software. I was just curious if you had problems
because you run old, but patched version, not the latest one. That answered to
my question.
 
> I have little recent experience with CentOS/RedHat so I can't speculate
> on parallels.

Well, it's the same, I guess. They too use old stable software patched to
answer to new vulnerabilities.

> > What is your experience with this?
> 
> 
> That's a *very* broad subject.
> 
> Speak to the bank before choosing your ASV and payment solution.
> 
> Start with client and company data, then the network and OS (plural),
> after that the firewall. You'll find that apache is the very last thing
> you need to worry about.

I maintained for a while some website that accepted payments. There I had some
problems with older versions of Apache, PHP and openssl. Network scanning
company soon accepted my appeals but the fact that I had to track down all
those CVEs proves that there was something wrong with their process. But, to
be honest, I didn't filled SAQ, it was done before I took maintenance, so
that could be the source of the problem.

> Anything above a 4 and you should consider using specialists or
> outsourcing components (firewall, backups, and *especially*, mail) -
> look at Debian.org consultants list. Try CERT people if you can't find
> an experienced debian consultant. Compliance can be costly and time
> consuming so if you only want a Level 4 using a provider instead might
> be worthwhile unless you control (or outsource) *every* part of the
> chain *and* the client/business makes it profitable.
> 
> Subscribe to the security-announce mailing list:-
> http://lists.debian.org/debian-security-announce/
> 
> There's also a feed:-
> http://www.debian.org/security/dsa
> 
> (DSA==Debian Security Announcement, compatible with CVEs.)
> 
> Product and advice liability insurance is a good idea if you're
> supplying the service to a client.
> 
> If you don't control the whole data chain and the client thinks a CRM is
> the end-all-and-be-all.... run like hell. Assessment tends to rank
> external access as the greatest risk, in reality it's generally internal.
> 
> Kind regards and good luck


Thanks very much for your thoughts and advices, much appreciated. 

Regards,
Veljko

Reply to:

Follow-Ups:
- Re: PCI compliance
  - From: Scott Ferguson <scott.ferguson.debian.user@gmail.com>

References:
- PCI compliance
  - From: Veljko <veljko3@gmail.com>
- Re: PCI compliance
  - From: Scott Ferguson <scott.ferguson.debian.user@gmail.com>

Prev by Date: Re: PXE install, without internet?
Next by Date: Re: Installing Mahara from source on Debian SID.
Previous by thread: Re: PCI compliance
Next by thread: Re: PCI compliance
Index(es):
- Date
- Thread