Well, that is not simply true.PCI DSS requires to comply all requirements. See: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf
For example requirement 6.6 requires WAF (on public facing web applications).In simple way, you need also hardening on os or, not just security update. If you process lot of data then onsite PCI QSA assesment is also required every year and also yearly penetration testing and external & internal scanning.
Eero2015-09-10 12:48 GMT+03:00 claude juif <firstname.lastname@example.org>:Hi,If your server is directly connected to Internet, you will fail PCI-DSS compliance. You need at least to put a proxy between internet and your server.IMO, the best way to accomplish this, is to hold credit card data on a separate server (this server will only store data, not more), not connected to internet (no route to internet gateway).Server <--> Intermediate API server to retrieve Credit card data in a safe way <--> WebserverCredit CardThis way, only the intermediate server is allowed to acces credit card data. Credit card server and intermediate server do NOT have access to internet. Obviously Credit Card server and intermediate server should communicate on a private LAN. The only point here, is how you authenticate Webserver with intermediate server. You have plenty of solutions.For the debian part, following the security update is enough for PCI DSS.Cheers,2015-09-09 8:31 GMT+02:00 Lovrenco Vladislavic <email@example.com>:Hello,
Can you provide me with some tutorial for latest Debian installation which will achieve full compatibility with latest PCI-DSS security standard:We need to host code for Credit Card data transfer (interface) on it, and server will be audited by online robot for security issues.It would speed up the process if there is some concrete tutorial about setting up correct services on new Debian installation.Thank you in advance,