PCI Compliance Checklist – How to resolve Vulnerabilities.

pci-compliance

PCI Compliance Checklist – How to resolve Vulnerabilities.




What is actually PCI Complaince and why it is required?

The PCI (Payment Card Industry) is a data security standard that must be followed by all the financial institutions, credit card companies, Payment gateway and merchants those are processing the online card payments. The server, computer or any other IP equipment’s processing these data by MasterCard, American Express, Discover, Visa, and JCB International must compliance with these Data Security Standards.  PCI scan is very essentials and should meet these Data Security Standards to help you protect from any types of frauds, security vulnerabilities and identifying thefts. The PCI scan is conducted by Approved Scanning Vendor (ASV) like McAfee, Hacker guardian, Trust guard etc.  Importantly, the PCI scan must be conducted quarterly (at least every 90 days) to stay up to date with the latest security vulnerabilities as well as security holes in order to protect your company from any expensive costly breaches. Reassuring the visitors that the website is safe and secure to accept card payments.

We will try to understand the basics of PCI scan given below.

Some of the server side parameters (specific software packages) that you should consider for PCI those are known to contain vulnerabilities.

Check openSSH and openSSL version

Check RPM change logs to find the vulnerabilities in the current version and patch to fix it.

FTP port

It is strongly recommended to disable FTP ports and instead use SFTP, SCP to transfer files and data.

Exim

Use SSL or STARTLS in the configuration before client is allowed to authenticate with the server. Also, check the change logs and patch the software to fix any vulnerability.

TLS version

PCI compliance requires your server to run on TLS 1.2 or higher.

BIND

To fit in the PCI compliance, you must hide bind version on your server.

Lets look in some more detail about how we can resolve the vulnerabilities reported by the scan report. I will recommended to get PCI scan conducted with Approved Scanning Vendor.

https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors

You can scroll down a bit and see ( Find an Approved Scanning Vendor Company )

1.Sign in with ASV.

Sign up with either of the ASV companies which you think is good and who will conduct external and internal scanning based on PCI DSS.

2.Initiate a PCI scan.

The scan will take a couple of hours to scan the targeted domain. Upon completion, it will result in the complete summary report of the vulnerabilities, Disclosures and the open ports. Each and every identified vulnerability will be listed one below the another along with an explanation on the action to be taken along with the server-side patches those needs to be applied to fix the issue.

For example, the scan report is from McAfee.

Severity Scan Date Vulnerabilities Disclosures Open Ports
2018-08-14 20:51 14 27 15

Following are the actual vulnerabilities reported which needs to be resolved one by one directly from the server.

pci-scan-1st

Vulnerabilities #1

1st-imageHow to Fix:  It has been noticed that the website was on PHP 5.5 which is now deprecated and EOL.  Try changing the website version to PHP 5.6 or higher.


Vulnerabilities #2

2nd-image

How To Fix:  For Apache/apache_ssl include the following line in the configuration file:

SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM


Vulnerabilities #3

3rd-image

How To Fix:  Enabled “session.use_only_cookies”, this allows PHP session IDs to be set only via HTTP cookies.


Vulnerabilities #4

4th-image

How To Fix:  False alert reported. Oracle software not installed on our server.


Vulnerabilities #5

5th-image

How To Fix: Update SSLProtocol -ALL +SSLv3 +TLSv1 in the Apache configuration.


Vulnerabilities #6

6th-image

How To Fix: Limit number of emails per hour on the server.


Vulnerabilities #7

7th-image

How To Fix: Disable  DES, 3DES, IDEA or RC2 ciphers , the Ciphers updated above in the Apache configuration should take care of this too.


Vulnerabilities #8

8th-image

How To Fix:  Apply the “secure” attribute to session cookies to ensure that they are sent via HTTPS only.

Update the following code in .htaccess file.

Header always edit Set-Cookie (.*) “$1; HTTPOnly”
Header always edit Set-Cookie (.*) “$1; Secure”


Vulnerabilities #9

9th-image

How To Fix:  Update following codes in .htaccess file as per the vulnerabilities shown.

  • Code for Apache

# X-Frame-Options
Header always append X-Frame-Options SAMEORIGIN

  • Code for Nginx

# X-Frame-Options
add_header X-Frame-Options SAMEORIGIN;

  • Code for HAproxy

# X-Frame-Options
rspadd X-Frame-Options:\ SAMEORIGIN

  • Code for IIS Web Server.

# X-Frame-Options in web.config file:
<HTTPPROTOCOL><CUSTOMHEADERS><ADD NAME=”X-Frame-Options” VALUE=”SAMEORIGIN”></ADD></CUSTOMHEADERS></HTTPPROTOCOL>

  • Code for Apache

#X-XSS-Protection
Header always set X-XSS-Protection “1; mode=block”

  • Code for Apache

#X-Content-Type-Options
Header always set X-Content-Type-Options: nosniff


Vulnerabilities #10

v10-image

How To Fix: Open MySQL port for only specific remote IP’s you want to provide access to or disable 3306 port completely on the server. Contact us if you would like us to do it.


Vulnerabilities #11

v11-image

How To Fix:  You will need to contact the vendor/ developer of the website to have the Auto complete attribute disabled for the password field in all forms.


Vulnerabilities #12

12th-post

How To Fix:  Purchase a Valid SSL certificate and install it on your domain.


Vulnerabilities #13

13-image

How To Fix:  Disable FTP port and use SFTP instead. Again contact us if you would like us to do it.


Vulnerabilities #14

14th-image

How To Fix:  Update php.ini file and update the parameter expose_php = Off.


3. Finally Addressing the failed scan.

The server administrator must go through each and every vulnerability that has been listed in the scan report and address them individually. You must consider fixing the reported vulnerabilities on the server side.

Re-scan the domain once you have applied the fix and patches. The second report will provide you a complete summary about the vulnerabilities, this will assure you that if you have missed any vulnerability as well the fixes that you have applied for prior reported vulnerabilities are correct or not.

image

Once the administrator has taken care of the reported vulnerabilities. They can re-run a scan as a final testing. The report should look the below screenshot showing no vulnerabilities found. Looks good !! Isn’t it ?  This means your work is done and you can now send this report for an approval.

Severity Scan Date Vulnerabilities Disclosures Open Ports
2018-08-17 13:13 0 11 5
image3

Screenshot: No vulnerability found final PCI summary report.

4. Send an approval request.

Check the final report and reassure with ASV and wait for their approval. You can let them know about any false positive alert as well, while reporting. If all goes through perfectly then the PCI compliance status must say Approved.

image2

If you would like to hire our expert security services for resolving the issues related with PCI Compliance Vulnerabilities, You can simply sign-up our PCI-Compliance Plan and submit a ticket. Our experts will assist you to get through this tedious task.

Share this post


24x7servermanagement