Securing Apache for PCI Compliance

For anyone running an e-commerce web site, the term PCI compliance is unlikely to escape the owner’s or developers attention. In essence, if a web site is handling credit card data, regardless of whether they store that data, the web site must be PCI compliant.

For a web site to be compliant, it must pass a rolling three month test by an authorised PCI scanning vendor. There are many out there and from my experience they are not all equal. Some vary with the features they offer but the interesting one is that not all of them return the same vulnerabilities. As a developer, the vulnerability report is key to helping identify and resolve any issues, so I find it surprising when a scanning vendor provides the solution but not the steps to help reproduce the issue or a link on how to resolve. Anyways, to help out here I’ve found that Apache vulnerabilities pop up more than most and so I will address some of these raised issues and present the resolutions.

Continue reading