Difference between revisions of "PCI Compliance"

From Hostek.com Wiki
Jump to: navigation, search
(SSL/TLS Protocol Initialization Vector Implementation Information Disclosure)
(SSL/TLS Protocol Initialization Vector Implementation Information Disclosure)
Line 18: Line 18:
 
* Start -> Run -> gpedit.msc
 
* Start -> Run -> gpedit.msc
 
* Computer Configuration -> Administrative Template -> Network -> SSL Configuration Settings
 
* Computer Configuration -> Administrative Template -> Network -> SSL Configuration Settings
* Right click on '''SSL Cipher Suite Order''' and choose '''Edit''' (Windows 2008 or '''Properties''' (Windows 2003)
+
* Right click on '''SSL Cipher Suite Order''' and choose '''Edit''' (Windows 2008) or '''Properties''' (Windows 2003)
 
* Select '''Enabled''' and replace the text in the textbox under '''SSL Cipher Suites''' with the following (All on a single line - no line breaks):
 
* Select '''Enabled''' and replace the text in the textbox under '''SSL Cipher Suites''' with the following (All on a single line - no line breaks):
 
  TLS_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_RSA_WITH_RC4_128_MD5,SSL_CK_RC4_128_WITH_MD5,TLS_RSA_WITH_NULL_SHA256,TLS_RSA_WITH_NULL_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_CK_DES_192_EDE3_CBC_WITH_MD5
 
  TLS_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_RSA_WITH_RC4_128_MD5,SSL_CK_RC4_128_WITH_MD5,TLS_RSA_WITH_NULL_SHA256,TLS_RSA_WITH_NULL_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_CK_DES_192_EDE3_CBC_WITH_MD5

Revision as of 17:08, 7 September 2012


hostek.com

PCI compliance requires quarterly scans from a PCI compliance vendor. Hostek.com goes above and beyond this requirement by having regular scans from two different PCI compliance vendors. One vendor's scans are done quarterly. The other's scans are done nightly. This ensures that all potential PCI compliance issues are accurately identified and dealt with promptly.


Datacenter

The data center where the hostek.com equipment is housed maintains SSAE 16 Certification (audit report). This replaced the SAS 70 Type 2 Certification.

Common PCI Compliance Resolutions

SSL/TLS Protocol Initialization Vector Implementation Information Disclosure

NOTE: If you are on a shared server or a managed VPS, please submit a support ticket [1] and attach/include your PCI scan report. The information below is for our non managed VPS customers.

  • Start -> Run -> gpedit.msc
  • Computer Configuration -> Administrative Template -> Network -> SSL Configuration Settings
  • Right click on SSL Cipher Suite Order and choose Edit (Windows 2008) or Properties (Windows 2003)
  • Select Enabled and replace the text in the textbox under SSL Cipher Suites with the following (All on a single line - no line breaks):
TLS_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_RSA_WITH_RC4_128_MD5,SSL_CK_RC4_128_WITH_MD5,TLS_RSA_WITH_NULL_SHA256,TLS_RSA_WITH_NULL_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_CK_DES_192_EDE3_CBC_WITH_MD5
  • Click OK NOTE: A reboot is required before the change actually goes into effect.
  • Submit a false positive report to the PCI Scanner letting them know the following:
We have changed the SSL Cipher Suite order on the host machine to favor SSL cipher suites that use a non-CBC cipher.

Disable SSLv2 & Strong Cyphers Only & Strong Protocols Only

If you are on a shared server, please open a support ticket and attach the PCI scan report.

For VPS's: This generally applies to a Windows based server. If you see one of these items on your PCI scan report, download this zip [2] and extract the appropriate .reg file and put that on your VPS and double click it to make the appropriate registry change to fix the issue. Generally if one of these show on your report, we suggest running all three .reg files to fully take care of the issue at one time.

NOTE: You will need to reboot the server for these changes to take affect.