PCI Compliance


The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard defined by the Payment Card Industry Security Standards Council.

Chances are, if your organization processes credit cards, your bank has asked you to become "PCI Compliant".

The goal of PCI Compliance is to prevent credit card fraud through increased security. The standard applies to all organizations that hold, process, or exchange credit card data.

Becoming PCI Compliant

Being branded "PCI Compliant" relies on working with a third party security assessor to review your servers and policies. Your bank or credit card processor will generally have a suggestion on what company to use, and may offer discounts for partnerships they have setup.

There's two components to being PCI Compliant. One is a self-assessment questionnaire that you'll need to review. We're not going to tackle that part here :-)

The second part, the security scan, is what this document will help with. The security assessor is going to perform a scan of your servers, and notify you of any problems it sees. What we'll do here is go over some changes that need to be made in order to pass the security scan.

With that in mind, let's get started!

Disable the old v2 SSL protocol

An older version of the SSL protocol, dubbed "SSLv2", is enabled by default in many services running on Linux. It's considered insecure, and would need to be disabled to pass the security scan.

Disable SSLv2 in Webmin

After logging into Virtualmin, click Webmin -> Webmin -> Webmin Configuration -> SSL Encryption. Where it says "Allowed SSL ciphers", set the option "Only strong PCI-compliant ciphers", and click "Save".

Disable SSLv2 in Apache

You'll need to login to the command line as root over SSH. From there, on CentOS-based systems, you'll need to edit /etc/httpd/conf/httpd.conf. On Debian/Ubuntu-based systems, you'll need to edit /etc/apache2/mods-enabled/ssl.conf.

After opening that file, you'll need to set "SSLProtocol" and "SSLCipherSuite" to the following:

SSLProtocol ALL -SSLv2

Then restart Apache --

On CentOS, run: /etc/init.d/httpd reload

On Debian/Ubuntu, run: /etc/init.d/apache2 reload

Disable SSLv2 in Postfix

Edit /etc/postfix/main.cf, and set smtpd_tls_mandatory_protocols and smtpd_tls_mandatory_ciphers as follows:

smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = high

Disable SSLv2 in Dovecot

Edit /etc/dovecot/dovecot.conf, and set the "ssl_cipher_list" option as follows:

ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

Then restart Dovecot:

/etc/init.d/dovecot restart

Apache Settings

By default, Apache allows users to access a lot of information about the service remotely. To become PCI Compliant, you'll typically need to configure Apache to give away less information.

On CentOS, edit /etc/httpd/conf/httpd.conf, on Ubuntu, edit /etc/apache2/apache2.conf, and on Debian, edit /etc/apache2/conf.d/security, and set ServerTokens, ServerSignature, and TraceEnable to the following:

ServerTokens Minimal
ServerSignature Off
TraceEnable Off

On CentOS, run: /etc/init.d/httpd reload

On Debian/Ubuntu, run: /etc/init.d/apache2 reload

Disable Protocol 1 in SSH

SSH may have protocol 1 enabled, which is considered insecure. To disable it, edit /etc/ssh/sshd_config, and change the "Protocol" line to read:

Protocol 2

Then restart SSH: /etc/init.d/sshd restart

List Apache security patches

Some PCI providers will request a list of security updates Apache has been patched for. You can generate such a list with this command:

rpm -qa --changelog httpd|grep CVE

Package Backports

Although the various package versions in use on your server may not appear to be the latest, the Linux distribution vendor (such as RedHat, CentOS, Ubuntu, and Debian) will all backport security changes and fixes into the software versions they ship. That's a process known as "backporting". RedHat has documentation explaining that process here: