On 2014-Jan-11 10:45, Scott Ferguson wrote: > On 11/01/14 03:46, Veljko wrote: > > Hello, > > > > Does anyone here operates servers that have to meet PCI standards? > > > Level 4s (isolated payment solutions) > > This is possibly not the best list to ask on.... > > > Do you have > > any problems with Debian? > > No. > > > I know that Moneris Solutions and Trustkeeper are > > scanning for version numbers so if you're running some old Apache version > > for > > example, you need to track down every vulnerability (CVE) and to prove that > > particular CentOS/RedHat version is patched. > > That's what the ASV is supposed to do, if you do the SAQ first (as > PCISSC requires) the scan shouldn't result in surprises. > > I have no experience with either of those companies. I don't run > out-of-date un-patched software.Either Debian stable or, mostly, > old-stable (Squeeze).
I also don't run out-of-date software. I was just curious if you had problems because you run old, but patched version, not the latest one. That answered to my question. > I have little recent experience with CentOS/RedHat so I can't speculate > on parallels. Well, it's the same, I guess. They too use old stable software patched to answer to new vulnerabilities. > > What is your experience with this? > > > That's a *very* broad subject. > > Speak to the bank before choosing your ASV and payment solution. > > Start with client and company data, then the network and OS (plural), > after that the firewall. You'll find that apache is the very last thing > you need to worry about. I maintained for a while some website that accepted payments. There I had some problems with older versions of Apache, PHP and openssl. Network scanning company soon accepted my appeals but the fact that I had to track down all those CVEs proves that there was something wrong with their process. But, to be honest, I didn't filled SAQ, it was done before I took maintenance, so that could be the source of the problem. > Anything above a 4 and you should consider using specialists or > outsourcing components (firewall, backups, and *especially*, mail) - > look at Debian.org consultants list. Try CERT people if you can't find > an experienced debian consultant. Compliance can be costly and time > consuming so if you only want a Level 4 using a provider instead might > be worthwhile unless you control (or outsource) *every* part of the > chain *and* the client/business makes it profitable. > > Subscribe to the security-announce mailing list:- > http://lists.debian.org/debian-security-announce/ > > There's also a feed:- > http://www.debian.org/security/dsa > > (DSA==Debian Security Announcement, compatible with CVEs.) > > Product and advice liability insurance is a good idea if you're > supplying the service to a client. > > If you don't control the whole data chain and the client thinks a CRM is > the end-all-and-be-all.... run like hell. Assessment tends to rank > external access as the greatest risk, in reality it's generally internal. > > Kind regards and good luck Thanks very much for your thoughts and advices, much appreciated. Regards, Veljko -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140112090012.ga5...@angelina.example.com
