[ic] PCI Compliance

Grant emailgrant at gmail.com
Sun Jun 13 19:48:58 UTC 2010


>> Has anybody had to take any special technical or other steps (outside of
>> firewall, and other basic sys-admin tasks) in order to ensure a "PCI
>> Compliant" Interchange?
>>
>> Thanks
>> Rick
>
> It's not so bad.  I added the following to my apache2 config to fix
> some SSL issues:
>
> SSLProtocol all -SSLv2
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL
>
> - Grant
>
>
> --------------
> Yes, it's very simple. PCI Level4 compliance will not actually scan the
> application behing the apache, so it's all pretty much securing the OS and
> Apache.
>
> If you decide to go Level 3,2 or 1, you may then have to provide key URL's
> and the scan would test the forms, related links from page, logins, etc...
> I have not gone this far, as most setups are or with Level4 to connect
> to banking gateways and other secured networks/services.
>
> Note that the levels are determined by the amount of transactions usually,
> and if the site grows to larger amounts then the banking gateways will ask
> for a higher level of compliance. I believe the 1st step is 20K/month? Can't
>
> remember now, but if you think you may get to that point, I would honnestly
> get the compliance done earlier than late, it'll buy you time.
>
> Cheers
> Martin H.
> N.E.S.T. Solutions

Good info, thanks Martin.

- Grant



More information about the interchange-users mailing list