PCC-DSS compliance
Bryan Cockerham
Hey,
Does anyone have any experience reliably and scalably setting up servers to be PCC compliant (for CC payment gateways)?
Because new PHP and Apache versions fix vulnerabilities, they immediately obsolesce their predecessors.
Long time, eh?
-Bryan
--
about me: bryancockerham.com
Jonathan Kraska
I assume you mean PCI compliance?
We dont officially do PCI compliance 100%, but we do have several clients that we do the best we can with. Honestly there is a lot of BS involved with PCI compliance. There are varying levels, and its not a "do x, y, and Z" and your done. A lot depends on your individual code base and what your site is doing. And just because a site is PCI compliant doesn't mean its totally secure.
I think probably the best thing you can do is use one of the online PCI compliance scanners and run it monthly. It will tell you what needs to be done to be compliant... and if it says you have to update to the latest PHP/Apache... you just have to suck it up and do it. That way you at least have a document officially saying you are compliant and will point out when things need to be done. I'm not sure which one we use, i think it might be mcafee?
--
EG. Making a come back.
To post to this group, send email to nyit-pro...@googlegroups.com
To unsubscribe from this group, send email to
nyit-programme...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nyit-programmers?hl=en
Bryan Cockerham
Hey,
Yes. PCI. Thanks. Long day yesterday. :)
Thanks for the response.
So you have to rebuild Apache and PHP on every server, each time there’s an update? All my research was pointing that way, and it was a hard truth to swallow. I figured I’d ask around just in case.
Maybe a better question would be: should I scrap Apache, and use something with fewer features that may therefore be less prone to vulnerability? When we hit more than 10 instances, this is going to get tedious – even with EC2 allowing me to mount home drives on newly cloned servers as soon as I get them running.
Thanks again.
-Bryan
Jonathan Kraska
I know ben likes nginx for performance reasons... but i would stick with apache personally. I dont think you are going to gain much as far as PCI compliance goes if you switch away from Apache.
What it comes down to IMO is that server management ain't easy if you want to do it right. We use puppet to manage our server configs / updates (with varying levels of success). I dont think we are using it 100% correctly in our implementation, but it might be something worth looking into if you are managing a large number of servers (epically if they all should be configured identically).
Bryan Cockerham
We’re 100% up to date with the latest YUM packages (Centos 6), but we’re still failing PCI scans. The only solution I have is to build from the latest releases on Apache.org and PHP.net. If I could solve this through packages, it wouldn’t be a problem.
Puppet is a good idea. I’ve thought about using it a few times in the past. Unfortunately it won’t solve my build problems though.
I know nginx is supposed to be wicked fast. I’ll do some research on the maintenance required to keep it PCI compliant.
Ben Zajac
Bryan Cockerham
Thanks. Authorize.net, our payment gateway, allows for this too. Maybe it’s worth checking out. No pun intended.