How to pass PCI compliance scan?

Created:

2016-12-12 03:38:52 UTC

Modified:

2017-08-08 13:16:32 UTC

1

Was this article helpful?


Have more questions?

Submit a request

How to pass PCI compliance scan?

Applicable to:

  • Plesk 12.5 for Linux
  • Plesk Onyx for Linux

Question

Some errors occur during PCI compliance scan. How to pass it successfully?

Answer

Here is the list of some fails that can be met in the report:

PHP Unsupported Version Detection

The outdated PHP version is in use. To pass PCI compliance it is recommended to use PHP 5.5.x or higher. To set the needed version open Subscriptions > example.com > PHP Settings .

WordPress Unsupported Version Detection

Upgrade the WordPress installation to the latest version under Subscriptions > example.com > WordPress > Update .

SMTP Service Cleartext Login Permitted

To get rid of mentioned above errors, use Plesk pci_compliance_resolver utility:

# plesk sbin pci_compliance_resolver --enable

Running the utility with the --enable option applies the following security changes to Plesk services:

  1. Sets the list of ciphers.
  2. Sets TLSv1.1 TLSv1.2 protocols.
  3. Sets DH parameter's size to 2048.
  4. Disables SSL/TLS compression.
  5. Sets disable_plaintext_auth = yes for Dovecot.
  6. Disallows plaintext authentication for non-encrypted connections to Courier Mail Server.

In case you need to set some specific parameters for the each service, please use sslmng utility.

To read more about both utilities, check Advanced Administration's guide for Linux .

SSL Medium Strength Cipher Suites Supported

Medium strength ciphers are using. In order to pass it, increase ciphers' strength for a corresponding daemon.

FTP Supports Cleartext Authentication

According to PCI DSS if FTP connections to the server are allowed, all FTP connections except secure FTPS ones must be prohibited: Tools & Settings > Security Policy > Allow only secure FTPS connections .

PHP expose_php Information Disclosure

The error means that PHP is configured in a way that allows disclosure of potentially sensitive information to an attacker through a special URL. The solution is in the PHP configuration file php.ini , define expose_php Off . Restart the web server daemon to put this change into effect.

Web Application Potentially Vulnerable to Clickjacking

In order to protect the website from clickjacking please add following lines in /usr/local/psa/admin/conf/panel.ini :

[security]

sameOriginOnly = true

Notes:

  • This option has been implemented in Plesk Onyx only and has not been tested in Plesk 12.5. In case of any issues please upgrade to Plesk Onyx.
  • Check Clickjacking Defense Cheat Sheet for additional information regarding clickjacking.
Have more questions? Submit a request
Please sign in to leave a comment.