Today we officially turned off all SSL2 support so that we could be PCI compliant. After this we passed the certification scan. Yeah. We bit the bullet and decided that SSL2 has been deprecated for years and the versions of IE6 we could find on different computers all supported SSL3. So, while there isn’t much information out there about SSL2, we will take that as a sign that we will not have an issue. Besides, everyone else who is PCI compliant will have the same issue.
If you want to setup your web servers to be PCI compliant, these are the settings we used:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
These will ensure that only SSL3 and TLS1 are used with Medium to High Cipher protocols. Also, all “not secure” ciphers are expressly excluded from the acceptable list.
Here is a tool we used to scan our web servers to verify which protocols are being used (much easier to use this then to request a PCI scan from our vendor in order to verify this changed worked).
SSL Digger by Foundstone
If you haven’t had fun with timezones before, you haven’t developed enough software 
For several of our applications we had a timezone consistency problem. There is lots of information on the net about Timezones and Java – don’t forget your operating system and physical BIOS time settings. Our production machines are set to EST5EDT (Eastern Standard Time – No Day Light Savings).
To set the applications to use this timezone, java needs to be told. The easiest way is to add a parameter to the startup script
java -Duser.timezone=EST5EDT ....
Now all of our components agree (OS / BIOS / Java) that the timezone is EST5EDT or GMT-5.
Next up will be setting all of the servers to GMT (which we should have done from the start years ago). All of the applications should store dates in GMT and only translate into the correct format based on the users preferences. For most of our applications (which are multi-tenant) we are going to set the timezone at the tenant level. So if you want your times to be in EST, then they can be. If another tenant wants their time in PST, that will work also.
We have a lot of the plumbing in place to do this. The only piece left to work on is reporting. Since reports are generated directly against the DB, a method needs to be determined to convert them to the tenants prefered TZ.