PCI
Definition
The Payment Card Industry (PCI) refers to a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. The most well-known of these standards is the PCI Data Security Standard (PCI DSS), which provides a framework for developing a robust payment card data security process, including prevention, detection, and appropriate reaction to security incidents.
Secure Settings Example
# Example of a secure configuration for a web server handling credit card data
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/ssl/certs/example.com.crt;
ssl_certificate_key /etc/ssl/private/example.com.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://backend;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
}
}
Insecure Settings Example
# Example of an insecure configuration for a web server handling credit card data
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/ssl/certs/example.com.crt;
ssl_certificate_key /etc/ssl/private/example.com.key;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers 'ALL:!ADH:!EXP:!MD5:@STRENGTH';
ssl_prefer_server_ciphers off;
location / {
proxy_pass http://backend;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
}
}