PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. If your business handles credit card transactions, it’s crucial to be compliant with PCI standards to protect cardholder data against breaches and fraud. Steps to achieve PCI compliance The process of becoming PCI compliant involves a self-assessment questionnaire and a security assessment by a third-party. Here, we focus on server-related changes to pass the security assessment.
PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. If your business handles credit card transactions, it’s crucial to be compliant with PCI standards to protect cardholder data against breaches and fraud.
Steps to achieve PCI compliance#
The process of becoming PCI compliant involves a self-assessment questionnaire and a security assessment by a third-party. Here, we focus on server-related changes to pass the security assessment.
Disabling insecure protocols and ciphers#
Older protocols and ciphers like are considered insecure and must be disabled across all services, including Webmin, Apache, Nginx, Postfix, Dovecot and ProFTPD.
Webmin configuration#
- Go to Webmin Configuration ⇾ SSL Encryption page.
- Choose all SSL protocol versions to reject, which will leave only TLSv1.3 enabled.
- Select Only strong PCI-compliant ciphers option.
- Save the changes.
Apache configuration#
- Edit the Apache configuration file:
- On EL systems
/etc/httpd/conf.d/ssl.conffile. - On Debian and derivatives
/etc/apache2/mods-enabled/ssl.conffile.
- On EL systems
- Set the following directives:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 SSLHonorCipherOrder off SSLSessionTickets off - Restart Apache running:
- On EL systems
systemctl reload httpdcommand. - On Debian and derivatives
systemctl reload apache2command.
- On EL systems
Nginx configuration#
- Edit
/etc/nginx/nginx.confor the specific server block file under/etc/nginx/conf.d/directory. - Add or modify the following lines:
ssl_protocols TLSv1.3; ssl_prefer_server_ciphers off; - Restart Nginx by running
systemctl restart nginxcommand.
Postfix configuration#
- Edit
/etc/postfix/main.cffile. - Add or modify the following lines:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2 tls_preempt_cipherlist = no - Restart Postfix by running
systemctl restart postfixcommand.
Dovecot configuration#
- Edit
/etc/dovecot/dovecot.conffile. - Add or modify the following lines:
ssl_min_protocol = TLSv1.3 ssl_prefer_server_ciphers = no - Restart Dovecot by running
systemctl restart dovecotcommand.
As of November 2024, Microsoft Outlook does not support TLS 1.3. To maintain compatibility with Outlook clients, keep TLS 1.2 enabled alongside TLS 1.3 in your Postfix and Dovecot configurations.
ProFTPD configuration#
- Edit the ProFTPD configuration file:
- On EL systems
/etc/proftpd/mod_tls.conffile. - On Debian and derivatives
/etc/proftpd/tls.conffile.
- On EL systems
- Set the following directives:
TLSProtocol TLSv1.3 TLSServerCipherPreference off TLSSessionTickets off - Restart ProFTPD by running
systemctl restart proftpdcommand.
Hardening services#
Apache hardening#
To prevent Apache from revealing sensitive information:
- Edit the Apache configuration file as mentioned above.
- Include the following directives:
ServerTokens Prod ServerSignature Off TraceEnable Off - Restart Apache as mentioned above.
Secure SSH#
Disable SSH protocol 1, which is insecure:
Edit
/etc/ssh/sshd_config.Find or add the line:
Protocol 2Note: On all modern systems, Protocol 2 should be the default enabled protocol for SSH already. This is a standard security measure, as Protocol 2 is significantly more secure than the older Protocol 1. Therefore, it’s uncommon to encounter Protocol 1 in use on modern installations.
Restart SSH by using
systemctl restart sshdcommand.
Additional Considerations#
- Ensure that your system is up-to-date with the latest security patches.
- Review all services running on your server to disable unnecessary ones and to secure the necessary ones.
- Regularly audit your system’s security and monitor logs for any suspicious activity.
Becoming PCI compliant is not a one-time event but an ongoing process that requires continuous attention and updates to your security measures.
Remember that these steps might vary slightly based on the specific versions of software you’re running, and you might need additional measures to fully comply with PCI DSS requirements. Always consult with a PCI compliance expert to ensure that all aspects of your environment meet the standards.
Source: https://www.virtualmin.com/docs/security/pci-compliance/
