[ic] PCI Compliance

Rick Bragg lists at gmnet.net
Tue Jun 22 04:53:00 UTC 2010


On Sun, 2010-06-13 at 12:48 -0700, Grant wrote:
> >> Has anybody had to take any special technical or other steps (outside of
> >> firewall, and other basic sys-admin tasks) in order to ensure a "PCI
> >> Compliant" Interchange?
> >>
> >> Thanks
> >> Rick
> >
> > It's not so bad.  I added the following to my apache2 config to fix
> > some SSL issues:
> >
> > SSLProtocol all -SSLv2
> > SSLCipherSuite
> > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL
> >
> > - Grant
> >
> >
> > --------------
> > Yes, it's very simple. PCI Level4 compliance will not actually scan the
> > application behing the apache, so it's all pretty much securing the OS and
> > Apache.
> >
> > If you decide to go Level 3,2 or 1, you may then have to provide key URL's
> > and the scan would test the forms, related links from page, logins, etc...
> > I have not gone this far, as most setups are or with Level4 to connect
> > to banking gateways and other secured networks/services.
> >
> > Note that the levels are determined by the amount of transactions usually,
> > and if the site grows to larger amounts then the banking gateways will ask
> > for a higher level of compliance. I believe the 1st step is 20K/month? Can't
> >
> > remember now, but if you think you may get to that point, I would honnestly
> > get the compliance done earlier than late, it'll buy you time.
> >
> > Cheers
> > Martin H.
> > N.E.S.T. Solutions
> 
> Good info, thanks Martin.
> 
> - Grant
> 

This is all really great info.  Thanks everyone.  I guess it also
depends on your size.  For example, I am really a small time host so I
will basically make sure everything is up to snuff and just fill out the
questioner.  

FYI: One change that I may be making:
Right now, I use a shared IC instance with many stores.  (That was the
plan to maximize resources, and minimize administration.)   I may have
to abandon that idea and install individualized (per user) instances of
IC.  Do I have to do this?  After all, I am not storing CC data
anywhere, but I am storing other basic user info...

Thanks
Rick

 






More information about the interchange-users mailing list