PCI Compliance Introduction
PCI compliance is required by the credit card card processing industry. If you are a merchant provider, no doubt you have been contacted by a PCI compliance scanning vendor of some form, generally sponsored by your bank or merchant provider.
Passing a PCI compliance scan is not too difficult, though there are a few technical hurdles to pass.
Server and Network Scanning
Generally speaking, you are required to answer an (excessively) long series of security questions, many of which may have no relation to your business. Further, they obtain your server IP addresses and scan your systems for security vulnerabilities.
The report format varies, but generally you receive a brief technical description for each item, usually linked to the CVE “Common Vulnerabilities and Exposures” database. If you are technically inclined or have technical staff who understand what should be changed to pass the scan, then you can generally resolve this internally.
If not, then unfortunately the scanning vendors do not offer support when a compliance scan fails and you are left to your own devices.
Passing the PCI Compliance Scan for Linux
Keep in mind that the purpose of passing a scan isn’t just to pass: passing the scan means your server meets a minimum baseline security level for operation on the public Internet. Not only will your merchant provider be tickled by your compliance, but your server will be more secure for the effort.
There are a series of general security practices that you can follow which will help you pass your scan and increase server security at the same time:
- Run only the services which are absolutely necessary for your server’s operation
- Install distribution package and security updates
- Configure a firewall to minimize the scan surface available to the scanner or to an attacker
- Use SSL certificates signed by a reputable certificate authority
- Make sure intermediate SSL certificates are installed
- Configure your SSL framework to force strong cryptographic ciphers
- Be certain that the domain being scanned matches the common name on the certificates. For example: if your SSL certificate is www.example.net but your website is www.example.com, then you will probably fail the PCI scan.
- Use your web server’s document root for a single purpose. For example, develop your new shiny website on a different or internal domain, not in the “/dev” or “/new” directory on your production site.
- Make sure your web application is up to date—especially if your site is based on an old version of an open-source content management system such as WordPress or Joomla.
- Dedicate one server per application function. For example, have mail on a dedicated mail server, web on a dedicated web server. Running both services on the same machine increases your security exposure and makes it more difficult to pass your PCI scan.
If you have followed these practices and are still having trouble passing your scan—or just want to increase your server’s security—then give me a call. I’m always happy to help!
-Eric