[ic] PCI Compliance

Grant emailgrant at gmail.com
Sun Jun 13 19:48:58 UTC 2010

>> Has anybody had to take any special technical or other steps (outside of
>> firewall, and other basic sys-admin tasks) in order to ensure a "PCI
>> Compliant" Interchange?
>> Thanks
>> Rick
> It's not so bad.  I added the following to my apache2 config to fix
> some SSL issues:
> SSLProtocol all -SSLv2
> SSLCipherSuite
> - Grant
> --------------
> Yes, it's very simple. PCI Level4 compliance will not actually scan the
> application behing the apache, so it's all pretty much securing the OS and
> Apache.
> If you decide to go Level 3,2 or 1, you may then have to provide key URL's
> and the scan would test the forms, related links from page, logins, etc...
> I have not gone this far, as most setups are or with Level4 to connect
> to banking gateways and other secured networks/services.
> Note that the levels are determined by the amount of transactions usually,
> and if the site grows to larger amounts then the banking gateways will ask
> for a higher level of compliance. I believe the 1st step is 20K/month? Can't
> remember now, but if you think you may get to that point, I would honnestly
> get the compliance done earlier than late, it'll buy you time.
> Cheers
> Martin H.
> N.E.S.T. Solutions

Good info, thanks Martin.

- Grant

More information about the interchange-users mailing list