hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Running a Web Hosting Business : PCI DSS Compliancy
Reply

Forum Jump

PCI DSS Compliancy

Reply Post New Thread In Running a Web Hosting Business Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 07-12-2012, 10:30 AM
Lawrence-IPGeek Lawrence-IPGeek is offline
New Member
 
Join Date: Jun 2012
Location: Sheffield
Posts: 1

PCI DSS Compliancy


Hi all, first post so thought I would start with an interesting one.

I recently had a customer email me to let me know that they were not willing to go with our company due to an email being sent to them with the password they chose at sign up unencrypted.

Stating that this was not in line with industry practice I thought would be a very good idea to start researching this issue. I asked a friend of mine who is a CSO and they advised me there would be some problems when it came to PCI compliance.

I looked through the information available on PCI compliance and found that the hosting platform I used was in breach of requirement 4:

Encrypt transmission of cardholder data across open, public networks

This is not met as the software I use does the following:

- When creating a new account emails the customer the password and stores it unencrypted in the database.
- When resetting a password emails the customer with the new password, user is not forced to change password when they log in. The email is also stored unencrypted in the database.

What are peoples views on this and its impact on the companies providing hosting?



Sponsored Links
  #2  
Old 07-12-2012, 01:21 PM
alanwoo alanwoo is offline
Aspiring Evangelist
 
Join Date: Apr 2004
Location: Singapore
Posts: 395
Majority provider here providing web hosting services to small and medium businesses, these small businesses don't really care about pci compliances

Company who care about pci compliance will do this in house, or deploy customized software to meet the requirement.

If you want to comply, when creating a new user account, do not email the user their password, look at how credit card company or bank provide you your card pin, they will physically mail you a letter with the userid and seperate letter with the password.

Same for when customer request to reset password.

__________________
Alan Woo, alan [@] newmediaexpress.com
= NewMedia Express Pte Ltd (AS38001)
= Dedicated Servers in Singapore | Hong Kong | South Korea | Thailand | Malaysia | Indonesia
= Singapore > speedtest.sg | Hong Kong > lg.newmediaexpress.hk | South Korea > lg.newmediaexpress.co.kr

  #3  
Old 07-12-2012, 07:38 PM
Brian_R Brian_R is offline
Web Hosting Master
 
Join Date: Jan 2011
Location: UK
Posts: 769
Frankly, if this is in the top 50 list of things you need to do for PCI compliance on a hosting platform accepting cards, I'd be surprised. Some of the more common problems causing organisations to fail PCI audits include:

- Cardholder Data (CHD) turning up in unexpected places, causing the scope of the audit to expand - logs are particularly prone to this.
- failure to maintain a vulnerability management program
- failure to do daily log reviews from all systems touching CHD
- failure to pass obligations to subcontractors
- maintaining auditable evidence trails of actions taken in response to threats

As you can see these are much higher level than how passwords are sent out, and are far more likely to draw the attention of an auditor.

__________________
Advania Thor Data Centre Iceland - www.thordc.com
High Spec Colocation and Dedicated Servers, powered by cheap, abundant and 100% renewable energy.
Enterprise grade hosting, ISO27001 accredited for security, and all at fantastic pricing.

brian.rae@thordc.com

Sponsored Links
Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
PCI DSS Compliance Sidorino Ecommerce Hosting & Discussion 4 02-09-2012 06:40 AM
PCI-DSS and FreeBSD on EC2 Crashus Cloud Hosting 8 01-26-2012 03:47 PM
PCI DSS compliance prashant1979 Running a Web Hosting Business 11 12-15-2010 04:52 PM
PCI-DSS Audit Crothers Ecommerce Hosting & Discussion 10 01-29-2010 04:01 PM
PCI Compliancy - which scan company do you use? Tristan Perry Running a Web Hosting Business 15 07-07-2009 09:27 AM

Related posts from TheWhir.com
Title Type Date Posted
Verizon Launches Cloud Services to Help Organizations Meet HIPAA Security Requirements Web Hosting News 2012-10-01 13:22:44
EU Commission Publishes Plan to Drive Business, Government Productivity Via Cloud Web Hosting News 2012-09-27 11:56:18
Web Host Peak 10 Boosts Flexibility with Enhanced Recovery Cloud Service Web Hosting News 2012-09-17 16:18:01
Colocation America Increases Los Angeles Colocation Space by Half Web Hosting News 2012-05-15 16:04:32


Tags
pci compliance, security

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?