PCI compliance requires at least Apache 2.2.8

To be compliant with PCI standards (Payment Card Industry), a merchant is supposed to have at least Apache 2.2.8, and at least PHP 5.2.5.

I think this is the lamest thing ever.

Anyway, I might as well figure out how to upgrade the two packages. I currently have Apache 2.2.3 and PHP 5.1.6.

Am I limited to upgrades given via the auto upgrade feature of Virtualmin, or can I perform upgrades on my own? I’m very savvy about how to go about it, perhaps if there was a URL someone could point me to I’d be set.

Lastly, are there any gotchas I need to be aware of?


Someone has to know how to update httpd and PHP?


So, the PCI standards do not take into account fully patched versions of these packages from the OS vendors? So…RHEL 5 is not PCI compliant, despite being one of the most secure systems available (likewise Debian 4)? I think this shows a pretty striking lack of awareness on the part of the folks drafting the guidelines.

BTW-We have a solution coming soon for the PHP update issue for our most popular platforms–we will provide PHP 5.2.6 for CentOS 5, at least. We will never bump rev on Apache beyond what is provided by the vendor…so you’ll need to build your own (which will probably end up less secure in the end since managing upgrades is so much harder on a built-from-source installation).

BTW2-Note I said PHP 5.2.6. 5.2.5 has security vulnerabilities, unless patched. :wink:

Thanks Joe! I am a paying customer, anyway :wink:

I guess I’ll have to file an exception, as it’s the most fully patched version of apache. Thanks for pointing that out. I look forward to getting the PHP 5.2.6, though! When do you think that’ll come?

But ya, I think it’s more or less just a joke.

I mean seriously, HACKER SAFE has softer requirements than PCI, and you see all those HACKER SAFE decals all over the place, where in truth its all BS. I am actually HACKER SAFE compliant, just not PCI. Odd… And to get that HACKER SAFE decal you have to pay about 2.5 times more money. What a joke!


The other reason I’m not PCI compliant is because I have “excessive” open ports, which means 10 or more. I mean seriously, who came up with 10? I should get an exception, though, for that because it’s “by design”. Whatever! :wink:


The other reason I'm not PCI compliant is because I have "excessive" open ports, which means 10 or more. I mean seriously, who came up with 10?

They count the number of open ports? Seriously? Wow. I think from now on, if I see some sort of PCI logo on a site I will be more suspicious of their security than if I don’t. :wink:

If you absolutely, positively must have these updates, you might look into using Jason Litka’s excellent repository, which includes patched PHP 5.2.5, httpd 2.8 and MySQL 5.0.58

Not supported or recommended by the folks here, of course, but very useful if you must have a very up-to-date CentOS.


You’ll need to do a bit of research to figure out how to enable and use his repos, and your following yum update will be scary as it’ll replace a load of packages and modules. Caveat Emptor… but I’ve had very good luck with it and he does seem serious about changes and updates.

Time Will Tell… hopefully he continues his good work, it is much appreciated by those who use his repos and builds.

Also some advice on patching 5.2.5’s security issue here:

Not supported or recommended by the folks here

It’s not not recommended, either. :wink:

But, as you say, we can’t possibly support packages that we don’t provide or aren’t from the standard OS sources. We have our hands full supporting our own packages plus the ones from CentOS, Debian, Ubuntu, Fedora, etc.

Ya, I think I’ll take my chances with getting an exception on the apache issue, and wait until the PHP update comes out.

Joe, any idea when the PHP 5.2.6 update will roll?


well, they took off the excessive ports issue, and the apache version issue. I might as well just ask for them to remove the PHP version issue then, huh? If it was that easy :wink:

Then I can be "compliant". Yay! As if it means a whole hell of a lot.


That did it. I am now PCI compliant. Oh yay! :wink:



I am just going thro the PCI at the moment. an out of the box install only showed 4 medium priority items that i need to change to get compliant!

  1. restrict recursive queries to the hosts that should use this name server??? i asume in the ACL i add the ip addresses of the systems i want to connect to it??

  2. disable SSL 2.0 and use SSL 3.0 or TLS 1.0 - I cannot see anywhere i can change this with in the settings??

  3. make sure all forms are sent and received over SSL - html issue!

  4. Reconfigure services to avoid the use of weak ciphers - hay what???

anyone got any ideas???


In the "install scripts" part of VM pro I want to install the shopping cart "Magento" but the install says I need php 5.2

Is there a way to selectively install php 5.2 without a full virtualmin upgrade (which is already up to date anyway)

How do I install the official php 5.2 package providd by VM? Is there one?


I answered the SSL v2.0 in your bug report colinkent

Joe, do you guys have an eta on PHP 5.2.6? If you guys are going to release it soon, I would much rather wait for it than to install my own.

+1 for news about PHP 5.2.6 here.

would very much like to run an opcode cache, too: either XCache or eaccelerator. would be very grateful for an install recipe.


Adrian Russell-Falla

Joe wrote:

BTW2-Note I said PHP 5.2.6. 5.2.5 has security vulnerabilities, unless patched. ;-)

I still have php 5.1, and ain’t able to update to 5.2.6.

How long are you with the update Joe?
Does you have a timeline?

I still think this software are great, but php 5.2.6 will make it even better.

Peter, Denmark


What distribution are you using?

If you’re using something like CentOS 5 or RHEL 5, which are currently offering PHP 5.1.6 – they backport security fixes and such into that version of PHP. You should be in good shape, security-wise.

In dealing with any of the PCI Compliance testers, they’re pretty understanding about the backporting, you should just be able to mark older versions they detect as a “False Positive” and simply mention what distro you’re running, and that you’re up to date with patches.

I’m sure there’s some features in 5.2.6 that folks may want, and Joe will certainly get around to that. But in the meantime, as far as security is concerned running PHP 5.1.6 on RHEL/CentOS5 is up to date.