pci

Old and unused accounts with admin access are a common entry point for attacks. They often have weaker passwords than a current account and the passwords are not being rotated making the accounts easier to brute-force over a long period.

There are two policies that create a solution to this problem:

1. If a vendor will be doing work for a known amount of time, set their account to expire (be made inactive) on the date their work is likely to be done. This is required by PCI DSS 3.1 section 8.1.4.

Does anyone have experience with PCI compliance for Drupal sites? I manage a Dreamhost Drupal site for a client that demands PCI compliance and I've hit a snag I need help with.

We've been passing SecurityMetrics scans consistently for several months. Suddenly, the scan is failing with dozens of issues that begin like, "Title: command injection in form_id parameter ..."

Can anyone help me figure out what this means? Is this something I can fix?

Many thanks!

Does anyone in the group have any experience achieving PCI Compliance with, e.g. SecurityMetrics.com? In my case, I could save client a ton of money by solving this.

The SecurityMetrics.com test is complaining about the Apache ETag. Can we somehow use .htaccess to change the ETag values?

Is there a best practice for this kind of thing?

Does anybody know what's going on at Visa? There are some discussions in the Ubercart world, but it is all speculation right now.

As a follow up from a question at the May 26 meeting, I looked into what it takes to become PCI DSS compliant.
I thought I'd share what I learned. (PCI DSS = Payment Card Industry Data Security Standard)

Summary:
I don't think Ubercart needs to be PCI DSS compliant. However, if you use a partner like Authorize.NET to process the card, you can be considered PCI DSS compliant if you perform and attest to a self assessment.

More info below: