Seems that some of the credit card processors demand the use of Security Metrics to test their web hosting for meeting a fairly good security standard. First, it doesn't matter if they do online credit card processing or not, just credit card processing period. This makes some sense, as someone could hack in a form pretending to ask for this information... so there is at least some risk.. and we all no credit card companies ultimately want to achieve 0 risk. ;) Anyway, the frustration is this and early on their reports even talked about it. Redhat doesn't follow the normal numbering system for a lot of their security updates for various packages. PHP is a great example of the time. Security Metrics says I must be running 5.1 due to exploits in earlier versions due to CANXXXX whereas Redhat has clearly addressed the issue, sent out a patch and generally we have it installed 2 to 6 months before SM starts a failing process. ---- The real question ---- Basically, I was wondering if there were many of you 'jumping through these same hoops'? If there are, perhaps we as a group could do something to get them to check for CentOS and then look for RHEL versions in hopes of ending these hassles. ---- end real question ---- I have found that by contacting SM, they will make a correction to a test once they know what you are running, but this seems to come up with each and every test. And the testing is done by domain, not by server, so you have to deal with each domain tested with the exact same crap.. which amounts to jumping through a hoop. Also, I've come to realize that some of what they ask that you do, equates to having your locked car in the driveway with the keys in your pocket.. this fails... But, if you put those keys in a different locked car beside it in the driveway and put the keys to that car in your pocket, it passes. Very sad...... And never once have they considered talking about the very basics like a good password policy. :( One other thing that bothers me about them is they 'sell appliances'. So, if your server/host can't pass or doesn't want to deal with it, we can 'sell' them something, making more money which to me seems like a conflict of interest for someone operating under the guise of security.