alt Hacker NewsThe whole VPN requirement sounds like bullshit to me. The terminal should use secure TLS connections to the servers it communicates with, without relying on the security of the (local) network at all.
Replies
akerl_ • today at 9:15 PM
Last I checked, a VPN isn’t required by PCI (or really any other compliance regime). The parent commenter’s infrastructure had a VPN. And once you have a VPN and you’re showing it to the auditors as part of your in-scope infra for PCI, asking you to remediate findings for insecure algorithms allowed in the server config is rational.
➕ show 1 reply
It wasn’t a requirement. They have a VPN server for remote access. The network scan found it and complained even though it’s not related.