PCI DSS Compliance

Payment Card Industry Data Security Standard (PCI DSSPayment Card Industry Data Security Standard - A set of security standards for organizations to securely process and store data of credit cards.) is a proprietary security standard required by some banks in order to allow the company to process and store data about credit cards and payments.

To be in compliance with PCI DSS, some 3rd party security companies can verify the compliance. Usually, they run Nessus scanner and report any potential vulnerabilities or insecure issues.

The administrator can configure Kerio Connect to use supported cipher suits to ensure PCI DSS compliance. For more information refer to Configuring SSL/TLS in Kerio Connect.

Kerio Connect and PCI

NOTE

Always upgrade to the latest version of Kerio Connect for the best security!

If you run Kerio Connect and have difficulties to be granted the compliance, try the following:

The list of known incompatibilities

Vulnerability to the TLS CBC attack

Solution: In Kerio Connect 8.0.0 and newer, set the SSLDontInsertEmptyFragments configuration value to 0 in the mailserver.cfg configuration file. Users with Kerio Outlook Connector (Offline edition) 8.0.2 and older on Windows XP systems may not be able to connect to the server or synchronize the data.

Vulnerability to the SSL BEAST attack

Solution: In Kerio Connect 8.0.1 to 8.4.2, set the DisableRC4SHA configuration value to 0 in the mailserver.cfg configuration file.

RC4 cipher may be considered by some other security scans as insecure due to the known attack vectors to this algorithm. Some US government organizations and agencies must follow FIPS-140-2 standard, which forbids RC4 ciphers.

In Kerio Connect version 8.3.0 to 8.4.0, set also the PreferECDHCipher configuration value to 0 in the mailserver.cfg configuration file.

Vulnerability to the POODLE and CVE-3566 attack

Solution: In Kerio Connect 8.3.3 and older, set the DisableSSLv3 configuration value to 1 in the mailserver.cfg configuration file.

SSLv3 is also disabled if DisableTLSv1 is set to 1.

Kerio Connect 8.3.4 and newer is not vulnerable to POODLE and CVE-3566.

IMPORTANT

If you disable TLSv1, some SMTPSimple Mail Transport Protocol - An internet standard used for email transmission across IP networks. servers may not be able to deliver messages to your server.

How to test SSL vulnerabilities

To test SSLSecure Sockets Layer - A protocol that ensures integral and secure communication between networks. vulnerabilities, use an online test, for example, at https://www.ssllabs.com/ssltest/