PCI Compliance in Regard to expose_php (Both On and Off)

PCI compliance is an important part of the payment processing industry. You may be familiar with the term, but do you know what the technical requirements are and how to meet them? In our new blog series, we will be answering those questions and more. To start, read on for more information about PCI compliance in regard to expose_php.

What is PCI compliance and why is it important?

PCI compliance involves the Payment Card Industry Data Security Standard (PCI DSS) - a set of information security standards for companies that handle credit cards from the major card brands. The PCI standards are mandated by the card brands and were created to increase controls around cardholder data to reduce credit card fraud. PCI compliance is an ongoing process and responsibility set by the Payment Card Industry. In the United States, virtually half of all data breaches are the result of a malicious attack, so it’s important to know how to prevent those attacks.

What is a php.ini file?

The php.ini file is the default configuration file for running applications that require PHP. This file is used to control variables in PHP such as upload sizes, file timeouts, and data storage limits. This configuration file is read when PHP starts up. There are numerous configurations options affecting both PHP features and extension. Configuration file php.ini is searched for in different locations, depending on the way PHP is used.

What is expose_php in web development?

Expose_php, which is found in the PHP configuration file (php.ini) located on a remote server, exposes to the world that PHP is installed on the server, which includes the PHP version within the HTTP header (e.g., X-Powered-By: PHP/5.3.7). Default configurations are not recommended and it’s important to understand that leaving this parameter as enabled is considered a PCI vulnerability and therefore should be addressed.

The benefit of a web server is that it allows software developers to quickly deploy feature-rich applications that are cross-platform compatible and therefore easily accessible by end users through various desktop and mobile devices with internet access. It is important to understand that because these applications are available through the public internet, it also introduces risks to the application provider and end-users, such as man-in-the-middle attacks, buffer overflows, cross site scripting, and brute force attacks. It is highly recommended that vulnerability scans/penetration testing are completed against the web application periodically to identify known risks, and address them as soon as possible.

  • Summary: The PHP installed on the remote server is configured in a way that allows disclosure of potentially sensitive information to an attacker through a special URL. Exposure of this information allows an attacker to identify a website as using a specific version of PHP which is vulnerable to a specific attack.
  • Impact: Allows disclosure of potentially sensitive information to an attacker through a PHP defaulted URL.
  • Solution: In the PHP configuration file, php.ini, set the value for 'expose_php' to 'Off' to disable this behavior. Restart the web server daemon to put this change into effect.

Does expose_php affect PCI compliance?

PCI DSS is a set of network security and business best practices guidelines adopted by the PCI Security Standards Council to establish a "minimum security standard" to protect customers' payment card information.

Merchants that are PCI compliant have taken the necessary steps to limit the chance of their customers’ cardholder data being exposed. Cardholder data is typically stolen through the use of malware that is installed within a merchant’s internal networks. This malware will typically sit on a merchant’s system collecting card data and sending it to the bad actor. Once inside, it usually takes months before the merchant is aware that they have been breached.

The PHP install on the remote server is configured in such a way that it can allow for the disclosure of potentially sensitive information. This can be triggered by a hacker making HTTP requests that disclose the PHP – also known as a “fingerprinting” attack where a bad actor uses the knowledge of the version of PHP to develop a specific attack that will work on that version.

External vulnerability scans will typically show an alert for this vulnerability. Merchants should address this and any vulnerabilities found on a PCI vulnerability scan in a timely manner to limit the chances of a bad actor exploiting that vulnerability and compromising customers’ cardholder data.

Should we turn off expose_php for PCI compliance?

Leaving the “expose_php” value as “ON” may allow an attacker the ability to view sensitive information which can be used to develop an effective attack against your internal networks.

Setting the “expose_php” value to “Off” will disable this behavior. Bad actors that attempt to pinpoint the version of PHP will be unable to, and are likely to move on to another target.

What are the risks associated with turning off expose_php?

There are no known risks of disabling expose_php on a web server. Most Third Party services are agnostic to PHP version, and would not need this information exposed in order to function properly.


PCI compliance can be complicated, especially if you’re tackling it yourself without the proper help. Make sure you have technical best practices and security enhancements in place, and make use of any PCI compliance assistance programs your payment processor offers. Global Payments Integrated has invested in staff and programs to lessen the burden of PCI compliance for our partners and their customers. To learn more about how Global Payments Integrated can help your business with PCI compliance, contact us today.

Soltan Nayabkhil

Director of Sales Engineering

Soltan Nayabkhil is the Director of Sales Engineering for Global Payments Integrated, a division of Global Payments Inc. (NYSE:GPN), one of the largest worldwide providers of payment technology and software solutions. He joined Global Payments Integrated in 2010 and is a well versed  Payment Industry veteran with 21 years of experience in financial technology, payment security and operations. He has been instrumental in establishing many key partnerships and providing valuable insight for the development of new products and services within Global Payments Integrated.

View Profile