pci-compliance

As per PCI, we need to stop using SSL and TLS(1.0 and 1.1 in certain implementation) from June 30th 2016 as per http://blog.securitymetrics.com/2015/04/pci-3-1-ssl-and-tls.html We have an client application build on .Net 3.5 which uses HttpWebRequest object to connect to web services. As per MSDN SecurityProtocolType( https://msdn.microsoft.com/en-us/library/system.net.securityprotocoltype(v=vs.110).aspx ) supports only Ssl3 and Tls(1.0) on .Net Framework 4 or below. Tls11 and Tls12 are only supported in .Net Framework 4.5/4.6 Does that mean to be inside Cardholder data environment and fully

I'm trying to get a Fedora 14 server running Apache 2.2.17 to pass a PCI-DSS compliance scan by McAfee ScanAlert. My first attempt using the default SSLCipherSuite and SSLProtocol directives set in ssl.conf... SSLProtocol ALL -SSLv2 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP failed citing that weak ciphers were enabled. Scans with ssllabs and serversniff tools revealed that 40 and 56 bit keys were indeed available. I then changed to... SSLProtocol -ALL +SSLv3 +TLSv1 and tried all of the following strings reported on various sites to pass PCI scans from assorted vendors...

We've been failing our PCI scans because ColdFusion has predictable CFIDs. The exact FAIL we get is "Predictable Cookie Session IDs". Now the CFTOKEN is no longer predictable since I've configured CF to use UUID for CFTOKEN, however, the CFID is still predictable and unaffected by any changes in CF Admin. I don't really know why the CFID being predictable is a threat, but they want us to fix it. I have been unable to find anything on the matter by googeling, and I'm really not sure what else to do. Has anyone else dealt with something like this? Any suggestions? EDIT:Here is what my

In trying to disable TLS 1.0, there are KitKat devices needing access to my API. I have tried overriding the default socket factory without success. I have tried converting to okhttp. Still not working. How do I get Android KitKat to connect to my API? I had the same issue on pre-lollipop devices. As I'm using Retrofit, here is the solution for OkHttp . Tls12SocketFactory.java : public class Tls12SocketFactory extends SSLSocketFactory { private static final String[] TLS_V12_ONLY = {"TLSv1.2"}; final SSLSocketFactory delegate; public Tls12SocketFactory(SSLSocketFactory base) { this.delegate =

What are the PCI rules to follow for storing credit card numbers in a database? 1) is this allowed? 2) if so, what rules do we have to follow? Im looking at this site https://www.pcisecuritystandards.org/security_standards/index.php which document should I be reading here? John Conde 1) Yes, it is allowed but very, very discouraged. Having this information in your database makes you an extremely attractive target for hackers. And if you think you can protect it, think again. Hackers have defeated the security of companies with excellent security. Your security won't be any better. 2) You have