On 04/10/2019 20:22, Chris Cappuccio wrote: > Kihaguru Gathura [pqscr...@gmail.com] wrote: >> Hi, >> >> The message below refers. Has httpd met the particular requirement >> 6.5.1 - 6.5.10 as shown? or is it a matter of further configuration. >> >> "Requirement 6.5 >> Fingerprinted versions of web software used on the website may contain >> publicly known vulnerabilities (cf. PCI DSS 6.5.1-6.5.10). Investigate >> as soon as possible. >> Misconfiguration or weakness" >> > > I have no idea what 6.5.1 - 6.5.10 of PCI DSS means because I don't even know > where to find what is says. I am not a QSA, and I'm certainly not your QSA. That said:
PCI-DSS 3.2.1 Requirement 6 is headed "Develop and maintain secure systems and applications". That's the right ballpark, but 6.5 is about coding vulnerabilities in the software development process. A web server isn't your software development process and can't meet those requirements for you. Whoever wrote this scanner likely means that the applications/sites you are running *on* that server should be developed in accordance with those requirements. The requirements that more directly impact the web server process include: 6.1 (vulnerability management), 6.2 (patch management), and any other specific system configuration requirements. Nothing in those requirements will exclude httpd from being used. An up-to-date httpd with a simple configuration and the right TLS ciphers should work in a PCI cardholder data environment just fine. The issue is going to be everything else that you're doing.