[ic] PCI Compliance
NEST @ Yahoo
nest_consulting at yahoo.ca
Sun Jun 13 05:43:21 UTC 2010
> Has anybody had to take any special technical or other steps (outside of
> firewall, and other basic sys-admin tasks) in order to ensure a "PCI
> Compliant" Interchange?
It's not so bad. I added the following to my apache2 config to fix
some SSL issues:
SSLProtocol all -SSLv2
Yes, it's very simple. PCI Level4 compliance will not actually scan the
application behing the apache, so it's all pretty much securing the OS and
If you decide to go Level 3,2 or 1, you may then have to provide key URL's
and the scan would test the forms, related links from page, logins, etc...
I have not gone this far, as most setups are or with Level4 to connect
to banking gateways and other secured networks/services.
Note that the levels are determined by the amount of transactions usually,
and if the site grows to larger amounts then the banking gateways will ask
for a higher level of compliance. I believe the 1st step is 20K/month? Can't
remember now, but if you think you may get to that point, I would honnestly
get the compliance done earlier than late, it'll buy you time.
More information about the interchange-users