Web Hosting Talk : Web Hosting Main Forums : Running a Web Hosting Business : PCI DSS Compliancy

[Lawrence-IPGeek]

Hi all, first post so thought I would start with an interesting one.

I recently had a customer email me to let me know that they were not willing to go with our company due to an email being sent to them with the password they chose at sign up unencrypted.

Stating that this was not in line with industry practice I thought would be a very good idea to start researching this issue. I asked a friend of mine who is a CSO and they advised me there would be some problems when it came to PCI compliance.

I looked through the information available on PCI compliance and found that the hosting platform I used was in breach of requirement 4:

Encrypt transmission of cardholder data across open, public networks

This is not met as the software I use does the following:

- When creating a new account emails the customer the password and stores it unencrypted in the database.
- When resetting a password emails the customer with the new password, user is not forced to change password when they log in. The email is also stored unencrypted in the database.

What are peoples views on this and its impact on the companies providing hosting?

[alanwoo]

Majority provider here providing web hosting services to small and medium businesses, these small businesses don't really care about pci compliances

Company who care about pci compliance will do this in house, or deploy customized software to meet the requirement.

If you want to comply, when creating a new user account, do not email the user their password, look at how credit card company or bank provide you your card pin, they will physically mail you a letter with the userid and seperate letter with the password.

Same for when customer request to reset password.

[Brian_R]

Frankly, if this is in the top 50 list of things you need to do for PCI compliance on a hosting platform accepting cards, I'd be surprised. Some of the more common problems causing organisations to fail PCI audits include:

- Cardholder Data (CHD) turning up in unexpected places, causing the scope of the audit to expand - logs are particularly prone to this.
- failure to maintain a vulnerability management program
- failure to do daily log reviews from all systems touching CHD
- failure to pass obligations to subcontractors
- maintaining auditable evidence trails of actions taken in response to threats

As you can see these are much higher level than how passwords are sent out, and are far more likely to draw the attention of an auditor.