[ic] PCI Compliance

NEST @ Yahoo nest_consulting at yahoo.ca
Sun Jun 13 05:43:21 UTC 2010


> Has anybody had to take any special technical or other steps (outside of
> firewall, and other basic sys-admin tasks) in order to ensure a "PCI
> Compliant" Interchange?
>
> Thanks
> Rick

It's not so bad.  I added the following to my apache2 config to fix
some SSL issues:

SSLProtocol all -SSLv2
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL

- Grant


--------------
Yes, it's very simple. PCI Level4 compliance will not actually scan the
application behing the apache, so it's all pretty much securing the OS and 
Apache.

If you decide to go Level 3,2 or 1, you may then have to provide key URL's 
and the scan would test the forms, related links from page, logins, etc... 
I have not gone this far, as most setups are or with Level4 to connect 
to banking gateways and other secured networks/services.

Note that the levels are determined by the amount of transactions usually, 
and if the site grows to larger amounts then the banking gateways will ask 
for a higher level of compliance. I believe the 1st step is 20K/month? Can't

remember now, but if you think you may get to that point, I would honnestly 
get the compliance done earlier than late, it'll buy you time.

Cheers
Martin H.
N.E.S.T. Solutions





More information about the interchange-users mailing list