PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. If your business handles credit card transactions, it’s crucial to be compliant with PCI standards to protect cardholder data against breaches and fraud.
Steps to achieve PCI compliance
The process of becoming PCI compliant involves a self-assessment questionnaire and a security assessment by a third-party. Here, we focus on server-related changes to pass the security assessment.
Disabling insecure protocols and ciphers
Older protocols and ciphers like are considered insecure and must be disabled across all services, including Webmin, Apache, Nginx, Postfix, Dovecot and ProFTPD.
Webmin configuration
- Go to Webmin Configuration ⇾ SSL Encryption page.
- Choose all SSL protocol versions to reject, which will leave only TLSv1.3 enabled.
- Select Only strong PCI-compliant ciphers option.
- Save the changes.
Apache configuration
- Edit the Apache configuration file:
- On EL systems
/etc/httpd/conf.d/ssl.conf
file. - On Debian and derivatives
/etc/apache2/mods-enabled/ssl.conf
file.
- On EL systems
- Set the following directives:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 SSLHonorCipherOrder off SSLSessionTickets off
- Restart Apache running:
- On EL systems
systemctl reload httpd
command. - On Debian and derivatives
systemctl reload apache2
command.
- On EL systems
Nginx configuration
- Edit
/etc/nginx/nginx.conf
or the specific server block file under/etc/nginx/conf.d/
directory. - Add or modify the following lines:
ssl_protocols TLSv1.3; ssl_prefer_server_ciphers off;
- Restart Nginx by running
systemctl restart nginx
command.
Postfix configuration
- Edit
/etc/postfix/main.cf
file. - Add or modify the following lines:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2 tls_preempt_cipherlist = no
- Restart Postfix by running
systemctl restart postfix
command.
Dovecot configuration
- Edit
/etc/dovecot/dovecot.conf
file. - Add or modify the following lines:
ssl_min_protocol = TLSv1.3 ssl_prefer_server_ciphers = no
- Restart Dovecot by running
systemctl restart dovecot
command.
As of November 2024, Microsoft Outlook does not support TLS 1.3. To maintain compatibility with Outlook clients, keep TLS 1.2 enabled alongside TLS 1.3 in your Postfix and Dovecot configurations.
ProFTPD configuration
- Edit the ProFTPD configuration file:
- On EL systems
/etc/proftpd/mod_tls.conf
file. - On Debian and derivatives
/etc/proftpd/tls.conf
file.
- On EL systems
- Set the following directives:
TLSProtocol TLSv1.3 TLSServerCipherPreference off TLSSessionTickets off
- Restart ProFTPD by running
systemctl restart proftpd
command.
Hardening services
Apache hardening
To prevent Apache from revealing sensitive information:
- Edit the Apache configuration file as mentioned above.
- Include the following directives:
ServerTokens Prod ServerSignature Off TraceEnable Off
- Restart Apache as mentioned above.
Secure SSH
Disable SSH protocol 1, which is insecure:
Edit
/etc/ssh/sshd_config
.Find or add the line:
Protocol 2
Note: On all modern systems, Protocol 2 should be the default enabled protocol for SSH already. This is a standard security measure, as Protocol 2 is significantly more secure than the older Protocol 1. Therefore, it’s uncommon to encounter Protocol 1 in use on modern installations.
Restart SSH by using
systemctl restart sshd
command.
Additional Considerations
- Ensure that your system is up-to-date with the latest security patches.
- Review all services running on your server to disable unnecessary ones and to secure the necessary ones.
- Regularly audit your system’s security and monitor logs for any suspicious activity.
Becoming PCI compliant is not a one-time event but an ongoing process that requires continuous attention and updates to your security measures.
Remember that these steps might vary slightly based on the specific versions of software you’re running, and you might need additional measures to fully comply with PCI DSS requirements. Always consult with a PCI compliance expert to ensure that all aspects of your environment meet the standards.