greggles's picture

Locking vendor accounts after their job is over, locking inactive admin accounts at 90 days

Old and unused accounts with admin access are a common entry point for attacks. They often have weaker passwords than a current account and the passwords are not being rotated making the accounts easier to brute-force over a long period.

There are two policies that create a solution to this problem:

  1. If a vendor will be doing work for a known amount of time, set their account to expire (be made inactive) on the date their work is likely to be done. This is required by PCI DSS 3.1 section 8.1.4.
Read more
michaels23's picture

SecurityMetrics/PCI Compliance

Does anyone have experience with PCI compliance for Drupal sites? I manage a Dreamhost Drupal site for a client that demands PCI compliance and I've hit a snag I need help with.

We've been passing SecurityMetrics scans consistently for several months. Suddenly, the scan is failing with dozens of issues that begin like, "Title: command injection in form_id parameter ..."

Can anyone help me figure out what this means? Is this something I can fix?

Many thanks!

Read more
michaels23's picture

Achieving PCI Compliance (SecurityMetrics.com)

Does anyone in the group have any experience achieving PCI Compliance with, e.g. SecurityMetrics.com? In my case, I could save client a ton of money by solving this.

The SecurityMetrics.com test is complaining about the Apache ETag. Can we somehow use .htaccess to change the ETag values?

Is there a best practice for this kind of thing?

Read more
dkeays's picture

PCI-DSS changes

Does anybody know what's going on at Visa? There are some discussions in the Ubercart world, but it is all speculation right now.

Read more
stevestaso's picture

PCI DSS compliance for ecommerce

As a follow up from a question at the May 26 meeting, I looked into what it takes to become PCI DSS compliant.
I thought I'd share what I learned. (PCI DSS = Payment Card Industry Data Security Standard)

I don't think Ubercart needs to be PCI DSS compliant. However, if you use a partner like Authorize.NET to process the card, you can be considered PCI DSS compliant if you perform and attest to a self assessment.

More info below:

Read more
Subscribe with RSS Syndicate content