On Fri, Sep 2, 2011 at 10:19 PM, Noel Jones <njo...@megan.vbhcs.org> wrote: > On 9/2/2011 2:17 PM, Michael B Allen wrote: >> My objectives are not driven by or based on logic. They are based on >> the requirements of a consortium of credit card companies and banks. > > Do they require you to offer STARTTLS on port 25?
My understanding is that PCI compliance requires only that the machine processing cardholder data pass a vulnerability scan with no CVE vulnerabilities of level 4 or higher. So the presence of SSLv2 in general is considered a vulnerability. PCI says nothing of what can be running on a machine or what ports they use. You can dispute something with a scan by supplying an explanation as to why you believe the particular CVE is not applicable but I have since stopped working on the vulnerability scan because I have learned that this particular vulnerability scanning vendor clears all disputes every 90 days. Meaning I would have to re-enter them every 90 days and the UI for doing that is a Flash application so I cannot just re-submit something like a spreadsheet. Because I am using CentOS which backports many security updates, this would be an enormous amount of work. My extra sensory perception tells me that the whole process is actually designed to make it excessively difficult to become PCI compliant. If you are not PCI compliant, you can process cardholder data (as I have been for several years) but you have greater liability if that data is stolen thus leaving the credit card companies and banks with less liability. Mike
