On 11/01/14 03:46, Veljko wrote: > Hello, > > Does anyone here operates servers that have to meet PCI standards?
Level 4s (isolated payment solutions) This is possibly not the best list to ask on.... > Do you have > any problems with Debian? No. > I know that Moneris Solutions and Trustkeeper are > scanning for version numbers so if you're running some old Apache version for > example, you need to track down every vulnerability (CVE) and to prove that > particular CentOS/RedHat version is patched. That's what the ASV is supposed to do, if you do the SAQ first (as PCISSC requires) the scan shouldn't result in surprises. I have no experience with either of those companies. I don't run out-of-date un-patched software.Either Debian stable or, mostly, old-stable (Squeeze). I have little recent experience with CentOS/RedHat so I can't speculate on parallels. > > What is your experience with this? That's a *very* broad subject. Speak to the bank before choosing your ASV and payment solution. Start with client and company data, then the network and OS (plural), after that the firewall. You'll find that apache is the very last thing you need to worry about. Anything above a 4 and you should consider using specialists or outsourcing components (firewall, backups, and *especially*, mail) - look at Debian.org consultants list. Try CERT people if you can't find an experienced debian consultant. Compliance can be costly and time consuming so if you only want a Level 4 using a provider instead might be worthwhile unless you control (or outsource) *every* part of the chain *and* the client/business makes it profitable. Subscribe to the security-announce mailing list:- http://lists.debian.org/debian-security-announce/ There's also a feed:- http://www.debian.org/security/dsa (DSA==Debian Security Announcement, compatible with CVEs.) Product and advice liability insurance is a good idea if you're supplying the service to a client. If you don't control the whole data chain and the client thinks a CRM is the end-all-and-be-all.... run like hell. Assessment tends to rank external access as the greatest risk, in reality it's generally internal. > > Regards, > Veljko > > Kind regards and good luck -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52d0860d.1030...@gmail.com
