[ic] PCI Compliance
Mike Heins
mike at perusion.com
Wed Jul 14 12:01:10 UTC 2010
Quoting Lyn St George (lyn at zolotek.net):
> On Tuesday 13 July 2010 14:47:38 Ky Hisberg wrote:
> > > It's not so bad. I added the following to my apache2 config to fix
> > > some SSL issues:
> > >
> > > SSLProtocol all -SSLv2
> > > SSLCipherSuite
> > > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL
> > >
> > > - Grant
> >
> > Hi Grant,
> >
> > Who did you use for the PCI DSS Compliance testing? My CC Processor forces
> > me to use Trustwave, who supposedly is one if not the biggest. They are a
> > pain to work with.
> >
> >
> > I have used the setup you suggested but they reject it as Non-compliant and
> > will not give any more info. They say they require SSLProtocol -ALL
> > +SSLv3 +TLSv1 Do you see any problems with this. Sorry but I do not trust
> > Trustwave, they keep finding to many things that are just not on my
> > server, or they reject their own suggestions as to weak. I found a
> > independent Website to test for SSLv2 and SSLv3 and they say we no longer
> > use SSLv2 but Trustwave wants more. I certainly do not want to loose
> > customers but it sounds like most new Browsers can handle the SSLv3. Any
> > thoughts?
> >
> > Thank you
> >
> > Kyle
> >
>
> This one passes with Comodo (note that medium is disallowed):
> SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:+SSLv3:!EXP:!eNULL:!aNULL
You mean those spammers run PCI compliance too? I can't believe
anyone would trust them.
--
Mike Heins
Perusion -- Expert Interchange Consulting http://www.perusion.com/
phone +1.765.328.4479 <mike at perusion.com>
Life is a long lesson in humility. -- James Barrie
More information about the interchange-users
mailing list