How to be PCI Compliant

Ok I have been through this a few times already so I figured I would share this knowledge to others so it would be a bit easier on you instead of hunting all over the net to find this info.

There is 1 absolute requirement to being PCI compliant. The software used to allow public ordering and submitting any credit card info MUST BE on its own server. A server that does shared hosting will not work, nor will a self-signed SSL cert work.

If you want us to do this for you you can order it here.

What is PCI?

The term PCI stands for Payment Card Industry. When PCI is referred to, it is actually referencing the Payment Card Industry Data Security Standard (PCI DSS). It was developed by the major credit card companies as a guideline to help organizations that store, process or transmit cardholder data in to protect card holder data, prevent credit card fraud and various other security vulnerabilities and threats. A company processing, storing, or transmitting payment card data must be PCI DSS compliant or risk losing their ability to process credit card payments, being audited and/or fined. The current version of the standard (1.2) specifies 12 requirements for compliance, organized into six related groups, which are called "control objectives."

Who has to comply?

The Payment Card Industry Data Security Standard (PCI DSS) applies to any organization that processes credit or debit card information, including merchants and third-party service providers that store, process or transmit credit card/debit card data. Since the end of 2007, any organization that accepts payment card transactions must be in compliance with the standards.

However, according to the PCI DSS documentation, "PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply."

Credit card companies and acquirer banks can levy stiff fines and remove the merchant's ability to process credit card transactions until the merchant is PCI compliant. Basic functions such as email and employee Internet access may result in the Internet-accessibility of a company's network. These seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems and can potentially expose cardholder data if not properly controlled.

This is WorldWide and not just North America. VISA has set these standards and they are now enforcing them as of June 1, 2009.

This means if you only take PayPal you can completely ignore this HOWTO otherwise you MUST become PCI Compliant by the end of May 2009.

What is an Approved Scanning Vendor?

All PCI scans must be conducted by a third party compliant network security scanning vendor, selected from the list of approved vendors at https://www.pcisecuritystandards.org/. All compliant scanning vendors are required to conduct scans in accordance with a defined set of procedures. These procedures dictate that the normal operation of the customer environment is not to be impacted and that the vendor should never penetrate or alter the customer environment.

Step 1

First thing you want to is buy a SSL cert because a self-signed one will fail your PCI compliance every time ! You can buy a SSL cert from me, (BORGNET dot NET), or any other million places.

Second thing you want to do is disable SSLv2 System Wide because this is a insecure cypher.

Webmin/Usermin

Go to Webmin → Webmin Configuration → SSL Encryption

Edit the setting for "Allowed SSL ciphers" and add:

RC4:HIGH:!MD5:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM

Do the same for Usermin !

apache/httpd 2.x

Add the following lines to your httpd.conf:

SSLHonorCipherOrder     On
SSLCipherSuite          RC4:HIGH:!MD5:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM

dovecot 1.0+

Add this line to your dovecot.conf:

ssl_cipher_list = RC4:HIGH:MEDIUM:+TLSv1:!MD5:!SSLv2:+SSLv3:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM

Next up, you need to tell dovecot to stop listening on the IMAP and POP3 ports. Edit the protocols line of /etc/dovecot.conf:

protocols = imaps pop3s

In fact if you do not need Dovecot do not use it.

postfix

main.cf:

smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_cipherlist = RC4:HIGH:MEDIUM:+TLSv1:!MD5:!SSLv2:+SSLv3:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
smtp_tls_cipherlist = RC4:HIGH:MEDIUM:+TLSv1:!MD5:!SSLv2:+SSLv3:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM

smtpd_tls_mandatory_ciphers = medium

proftpd

proftpd.conf:

TLSEngine on

TLSCipherSuite RC4:HIGH:MEDIUM:+TLSv1:!MD5:!SSLv2:+SSLv3:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM

Force HTTPS on all your logins

You can do this by adding a .htaccess or adding the following lines:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

You place the .htaccess file in each directory that you want to enforce SSL.

Firewall's

Install a firewall like Shorewall to block access to all ports you do not want the world to have access to. Ports you should only have open to the world are: 22,25,53,80,443 ssh → 22 postfix → 25 bind/dns → 53(TCP/UDP) http → 80,443 Optional ports are: 993,995 These are for imaps and pop3s, if you have 110 and 143 open you WILL fail PCI !

Last Step!

Restart dovecot, apache and proftp. ProFTP is really insecure and I advise you to not use it and use sFTP instead. I have found that most PCI scanning vendors will fail you just for using it regardless of disabling SSLv2.

Testing that SSLv2 is Disabled

openssl s_client -connect HOSTNAME:PORT -ssl2

If you receive the certificate and a ton of other lines, you still have SSLv2 enabled.

Otherwise, if you receive anything like these you're fine:

write:errno=54 8965:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

 

Ok I have been through this a few times already so I figured I would share this knowledge to others so it would be a bit easier on you instead of hunting all over the net to find this info.
What is PCI?

The term PCI stands for Payment Card Industry. When PCI is referred to, it is actually referencing the Payment Card Industry Data Security Standard (PCI DSS). It was developed by the major credit card companies as a guideline to help organizations that store, process or transmit cardholder data in to protect card holder data, prevent credit card fraud and various other security vulnerabilities and threats. A company processing, storing, or transmitting payment card data must be PCI DSS compliant or risk losing their ability to process credit card payments, being audited and/or fined. The current version of the standard (1.2) specifies 12 requirements for compliance, organized into six related groups, which are called "control objectives."
Who has to comply?
What is an Approved Scanning Vendor?

All PCI scans must be conducted by a third party compliant network security scanning vendor, selected from the list of approved vendors at https://www.pcisecuritystandards.org/. All compliant scanning vendors are required to conduct scans in accordance with a defined set of procedures. These procedures dictate that the normal operation of the customer environment is not to be impacted and that the vendor should never penetrate or alter the customer environment.
Step 1

First thing you want to is buy a SSL cert because a self-signed one will fail your PCI compliance every time ! You can buy a SSL cert from me, (BORGNET dot NET), or any other million places. Second thing you want to do is disable SSLv2 System Wide because this is a insecure cypher.
Webmin/Usermin

Go to Webmin → Webmin Configuration → SSL Encryption

Edit the setting for "Allowed SSL ciphers" and add:

ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:!MD5:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM

Do the same for Usermin !
apache/httpd 2.x

Add the following lines to your httpd.conf:

SSLHonorCipherOrder     On
SSLCipherSuite          ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:!MD5:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
dovecot 1.0+

Add this line to your dovecot.conf:

ssl_cipher_list = ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:!MD5:!SSLv2:+SSLv3:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM

Next up, you need to tell dovecot to stop listening on the IMAP and POP3 ports. Edit the protocols line of /etc/dovecot.conf:

protocols = imaps pop3s

In fact if you do not need Dovecot do not use it.
postfix

main.cf:

smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_cipherlist = ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:!MD5:!SSLv2:+SSLv3:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
smtp_tls_cipherlist = ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:!MD5:!SSLv2:+SSLv3:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
smtpd_tls_mandatory_ciphers = medium
proftpd

proftpd.conf:

TLSEngine on

TLSCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:!MD5:!SSLv2:+SSLv3:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
Force HTTPS on all your logins

You can do this by adding a .htaccess or adding the following lines:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

You place the .htaccess file in each directory that you want to enforce SSL.
Firewall's

Install a firewall like Shorewall to block access to all ports you do not want the world to have access to. Ports you should only have open to the world are: 22,25,53,80,443 ssh → 22 postfix → 25 bind/dns → 53(TCP/UDP) http → 80,443 Optional ports are: 993,995 These are for imaps and pop3s, if you have 110 and 143 open you WILL fail PCI !
Last Step!

Restart dovecot, apache and proftp. ProFTP is really insecure and I advise you to not use it and use sFTP instead. I have found that most PCI scanning vendors will fail you just for using it regardless of disabling SSLv2.
Testing that SSLv2 is Disabled

openssl s_client -connect HOSTNAME:PORT -ssl2

If you receive the certificate and a ton of other lines, you still have SSLv2 enabled. Otherwise, if you receive anything like these you're fine: write:errno=54 8965:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

Was this answer helpful?

 Print this Article

Also Read

Securing Your Server HOWTO

Table of Contents LES SPRI LSM (Linux Socket Monitor) NSIV Secure /tmp...