SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,530
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    PCI-Compliance Debate

    A heated debate is about ready to start at work tomorrow...

    One of my bosses sent out an e-mail stating that "To be PCI-Compliant, all users must re-set their passwords every 90 days!!"

    This is for an e-commerce site where we are using a 3rd-Party Payment Processor but will be storing basic things like E-mails, Names, and Addresses.

    I say that she doesn't understand what the PCI-Compliance Guidelines say...


    Debbie

  2. #2
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    23,598
    Mentioned
    411 Post(s)
    Tagged
    6 Thread(s)
    I agree. The 90 day thing is silly even where it applies, but if you are not collecting credit card details, it's going way overboard.

  3. #3
    SitePoint Enthusiast
    Join Date
    May 2011
    Posts
    35
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There two things to debate here:
    1) Do you need to be PCI Complaint if you are using a 3rd party payment processor
    2) Is the 90 days requirement valid

    If the answer to #1 is yes, the answer to #2 is yes as well. See requirement 8.5.9 here https://www.pcisecuritystandards.org...dures_v1-1.pdf

    #1 is less straight forward and it depends on the answer to:
    Does your company handle credit cards directly?
    The fact that you have a 3rd party processor does not necessarily imply that you do not deal with credit cards, even if they are not stored on your servers. If this processor provides a hosted payment page which does not reside on your domain you are probably OK. But if your site uses an API to process the cards, meaning card numbers are collected on your domain and then passed to the processor you are exposed to PCI requirements. You can reduce the PCI audit scope by proving that card numbers are not stored locally but you still need to answer all basic requirements.
    Also, if you have phone, email or fax sales you are dealing with credit cards and thus exposed to PCI requirements.

    And the bottom line is that if you deal with credit card numbers, in any way, and if users have access to the systems that deal with card numbers you will need to make sure that passwords are refreshed every 90 days.

    Hope this makes sense.
    Incapsula:
    Maximum Security and Performance for any Web Site - FREE Signup

  4. #4
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,530
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by eldad View Post
    There two things to debate here:
    1) Do you need to be PCI Complaint if you are using a 3rd party payment processor
    2) Is the 90 days requirement valid

    If the answer to #1 is yes, the answer to #2 is yes as well. See requirement 8.5.9 here https://www.pcisecuritystandards.org...dures_v1-1.pdf

    #1 is less straight forward and it depends on the answer to:
    Does your company handle credit cards directly?
    The fact that you have a 3rd party processor does not necessarily imply that you do not deal with credit cards, even if they are not stored on your servers. If this processor provides a hosted payment page which does not reside on your domain you are probably OK. But if your site uses an API to process the cards, meaning card numbers are collected on your domain and then passed to the processor you are exposed to PCI requirements. You can reduce the PCI audit scope by proving that card numbers are not stored locally but you still need to answer all basic requirements.
    Also, if you have phone, email or fax sales you are dealing with credit cards and thus exposed to PCI requirements.

    And the bottom line is that if you deal with credit card numbers, in any way, and if users have access to the systems that deal with card numbers you will need to make sure that passwords are refreshed every 90 days.

    Hope this makes sense.
    Who is a "user"?

    The way that link reads is that it is the "Customers".

    Name one e-commerce in the world that requires "Customers" to re-set their password every 90 days?

    Also, our Lead Developer found a link that says "Only Admins, Service Providers, etc need to re-set their passwords every 90 days." (I don't have the link from work.)


    Debbie

  5. #5
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    23,598
    Mentioned
    411 Post(s)
    Tagged
    6 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    our Lead Developer found a link that says "Only Admins, Service Providers, etc need to re-set their passwords every 90 days."
    That sounds more accurate to me. Only one third-party cart that I've used requires me—as the developer—to reset my password every 90 days. But the customers who use the cart are never asked to do the same.

  6. #6
    SitePoint Enthusiast
    Join Date
    May 2011
    Posts
    35
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Debbie,

    I thought that in "users" you were referring to company employees in your original post.
    There is no requirement to reset your customers' password every 90 days. As far as I know the way you manage passwords in your web application for web site visitors is not in the scope of PCI.

    Eldad
    Incapsula:
    Maximum Security and Performance for any Web Site - FREE Signup

  7. #7
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,530
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by eldad View Post
    Debbie,

    I thought that in "users" you were referring to company employees in your original post.
    There is no requirement to reset your customers' password every 90 days. As far as I know the way you manage passwords in your web application for web site visitors is not in the scope of PCI.

    Eldad
    Someone sent me this link...

    https://www.pcisecuritystandards.org...tion=PCI%20DSS


    Looks like this is the key point to help me and the Lead Developer win our argument...

    -----------------------------------------------------------------------
    8.5 Ensure proper user identification and authentication management for non-consumer users and administrators on all system components as follows:

    8.5.9 Change user passwords at least every 90 days.
    -----------------------------------------------------------------------

    Debbie


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •