This article is now available in our knowledge base: IBM i Apache PCI compliance reference
IBM i customers using automated compliance verification software often write to us to ask about the Apache version running on IBM i. The automated software may indicate the version is not secure because of known threats that are not mitigated.
IBM i, any version.
IBM HTTP Server for IBM i provides a customized version of Apache that is not 100% compatible with the version provided by the Apache Software Foundation. This customized version provides some extra features that are specialized for IBM i, providing configuration directives not found in the base Apache, and there are some configuration directives in the base Apache that are not applicable to IBM i. So, they do not just take every new point release of Apache and compile it for IBM i. This means that automated compliance checking that relies on the point release of Apache cannot accurately detect PCI compliance on the IBM i.
However, IBM HTTP Server is PCI compliant. To stay in compliance, you only need to keep current with the PTF releases for IBM HTTP Server. IBM has provided a reference page where you can verify specific PTF numbers for the known vulnerabilities: