How to be PCI Compliant

Ok I have been through this a few times already so I figured I would share this knowledge to others so it would be a bit easier on you instead of hunting all over the net to find this info.

What is PCI?

The term PCI stands for Payment Card Industry. When PCI is referred to, it is actually referencing the Payment Card Industry Data Security Standard (PCI DSS). It was developed by the major credit card companies as a guideline to help organizations that store, process or transmit cardholder data in to protect card holder data, prevent credit card fraud and various other security vulnerabilities and threats. A company processing, storing, or transmitting payment card data must be PCI DSS compliant or risk losing their ability to process credit card payments, being audited and/or fined. The current version of the standard (1.2) specifies 12 requirements for compliance, organized into six related groups, which are called "control objectives."

Who has to comply?

The Payment Card Industry Data Security Standard (PCI DSS) applies to any organization that processes credit or debit card information, including merchants and third-party service providers that store, process or transmit credit card/debit card data. Since the end of 2007, any organization that accepts payment card transactions must be in compliance with the standards.

However, according to the PCI DSS documentation, "PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply."

Credit card companies and acquirer banks can levy stiff fines and remove the merchant's ability to process credit card transactions until the merchant is PCI compliant. Basic functions such as email and employee Internet access may result in the Internet-accessibility of a company's network. These seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems and can potentially expose cardholder data if not properly controlled.

This is WorldWide and not just North America. VISA has set these standards and they are now enforcing them as of June 1, 2009.

This means if you only take PayPal you can completely ignore this HOWTO otherwise you MUST become PCI Compliant by the end of May 2009.

What is an Approved Scanning Vendor?

All PCI scans must be conducted by a third party compliant network security scanning vendor, selected from the list of approved vendors at https://www.pcisecuritystandards.org/. All compliant scanning vendors are required to conduct scans in accordance with a defined set of procedures. These procedures dictate that the normal operation of the customer environment is not to be impacted and that the vendor should never penetrate or alter the customer environment.

Step 1

First thing you want to is buy a SSL cert because a self-signed one will fail your PCI compliance every time ! You can buy a SSL cert from me(BORGNET dot NET) or any other million places.

Second thing you want to do is disable SSLv2 System Wide because this is a insecure cypher.

Webmin/Usermin

Go to Webmin → Webmin Configuration → SSL Encryption

Edit the setting for "Allowed SSL ciphers" and add:

 HIGH:-SSLv2:-aNULL

apache/httpd 2.x

Add the following lines to your httpd.conf:

 SSLProtocol ALL -SSLv2
 SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL

dovecot 1.0+

Add this line to your dovecot.conf:

 ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

Next up, you need to tell dovecot to stop listening on the IMAPS and POPS ports. Edit the protocols line of /etc/dovecot.conf:

 protocols = imap pop3

In fact if you do not need Dovecot do not use it.

postfix

main.cf:

 smtpd_tls_mandatory_protocols = SSLv3, TLSv1
 smtpd_tls_mandatory_ciphers = medium, high

proftpd

proftpd.conf:

 TlsCipherList HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

Force HTTPS on all your logins

You can do this by adding a .htaccess or adding the following lines:

 RewriteEngine On
 RewriteCond %{HTTPS} off
 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

You place the .htaccess file in each directory that you want to enforce SSL.

Firewall's

Install a firewall like Shorewall to block access to all ports you do not want the world to have access to.

Ports you should only have open to the world are:

 22,25,53,80,443

ssh → 22 postfix → 25 bind/dns → 53(TCP/UDP) http → 80,443

Optional ports are:

 993,995

These are for imaps and pop3s, if you have 110 and 143 open you WILL fail PCI !

Last Step!

Restart dovecot, apache and proftp.

ProFTP is really insecure and I advise you to not use it and use sFTP instead. I have found that most PCI scanning vendeers will fail you just for using it regardless of disabling SSLv2.

Testing that SSLv2 is Disabled

 openssl s_client -connect HOSTNAME:PORT -ssl2

If you receive the certificate and a ton of other lines, you still have SSLv2 enabled. Otherwise, if you receive anything like these you're fine:

 write:errno=54
 8965:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428: