Re: PCI compliance
On 12/01/14 20:00, Veljko wrote:
> On 2014-Jan-11 10:45, Scott Ferguson wrote:
>> On 11/01/14 03:46, Veljko wrote:
>>> Hello,
>>>
>>> Does anyone here operates servers that have to meet PCI standards?
>>
>>
<snipped>
>
>> I have little recent experience with CentOS/RedHat so I can't speculate
>> on parallels.
>
> Well, it's the same, I guess. They too use old stable software patched to
> answer to new vulnerabilities.
I don't know the RedHat philosophy, but Debian will not hide
vulnerabilities - even for a minute, they also tend to patch very fast.
The main reasons Debian dominates the top end of the server usage (IMO).
<snipped>
>>
>> Start with client and company data, then the network and OS (plural),
>> after that the firewall. You'll find that apache is the very last thing
>> you need to worry about.
>
> I maintained for a while some website that accepted payments. There I had some
> problems with older versions of Apache, PHP and openssl. Network scanning
> company soon accepted my appeals but the fact that I had to track down all
> those CVEs proves that there was something wrong with their process. But, to
> be honest, I didn't filled SAQ, it was done before I took maintenance, so
> that could be the source of the problem.
Most likely even if the SAQ was properly done the system has changed. If
there is no change control or it's not properly enforced (only change if
the reason is compelling *and* it's been tested); or if security is
something that relies upon people following rules rather than enforced
by the system.... then you're probably dealing with a typical client.
Not a position I'd envy being in.
Sometimes the client needs to understand that the potential impact of a
breach is of greater importance than the perceived risk.
*cough*Kmart*cough*
<snipped>
Take care
Reply to: