[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PCI-DSS compliant instalation guide for latest Debian


2015-09-10 12:00 GMT+02:00 Eero Volotinen <eero.volotinen@iki.fi>:
Well, that is not simply true.

PCI DSS requires to comply all requirements. See: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf

PCI DSS said this : 

Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of an entity’s network is not a PCI DSS requirement. However, it is strongly recommended as a method that may reduce: 
 - The scope of the PCI DSS assessment 
 - The cost of the PCI DSS assessment 
 - The cost and difficulty of implementing and maintaining PCI DSS controls.
 - The risk to an organization (reduced by consolidating cardholder data into fewer, more controlled locations) 

Without adequate network segmentation (sometimes called a "flat network") the entire network is in scope of the PCI DSS assessment. Network segmentation can be achieved through a number of physical or logical means, such as properly configured internal network firewalls, routers with strong access control lists, or other technologies that restrict access to a particular segment of a network. To be considered out of scope for PCI DSS, a system component must be properly isolated ! 

For example requirement 6.6 requires WAF (on public facing web applications).

In simple way, you need also hardening on os or, not just security update. If you process lot of data then onsite PCI QSA assesment is also required every year and also yearly penetration testing and external & internal scanning.

In France (don't know about other countries) PCI-DSS certified company come to your office and scan the relevant part of your network after audit.

BTW just remember you are holding really sensitive information. And the best way to reduce security flaw is to disallow network access.



2015-09-10 12:48 GMT+03:00 claude juif <claude.juif@gmail.com>:

If your server is directly connected to Internet, you will fail PCI-DSS compliance. You need at least to put a proxy between internet and your server.

IMO, the best way to accomplish this, is to hold credit card data on a separate server (this server will only store data, not more), not connected to internet (no route to internet gateway).

Server                <-->  Intermediate API server to retrieve Credit card data in a safe way <--> Webserver
Credit Card

This way, only the intermediate server is allowed to acces credit card data. Credit card server and intermediate server do NOT have access to internet. Obviously Credit Card server and intermediate server should communicate on a private LAN. The only point here, is how you authenticate Webserver with intermediate server. You have plenty of solutions.

For the debian part, following the security update is enough for PCI DSS.


2015-09-09 8:31 GMT+02:00 Lovrenco Vladislavic <lovrenco.vladislavic@outlook.com>:

Can you provide me with some tutorial for latest Debian installation which will achieve full compatibility with latest PCI-DSS security standard:

We need to host code for Credit Card data transfer (interface) on it, and server will be audited by online robot for security issues.

It would speed up the process if there is some concrete tutorial about setting up correct services on new Debian installation.

Thank you in advance,

Lovrenco Vladislavic

Reply to: