I have been advised that having expose_php = On
in my php.ini is a security issue and is, therefor, not PCI compliant.
My research on it so far suggests that turning it off is low risk and will essentially stop sending back the PHP version in the header, however I am wondering if there are likely to be any issues that come on the back of this change.
Potential issues I am thinking of are third party services (payment providers, email tracking systems, video streaming APIs) that expect you to respond with a header that indicate you are running a version of PHP, possibly over a certain version?
Should this be a seamless change or does this have the potential for problems?