2

We're moving away from a hosted e-commerce platform and need to migrate 50000+ customers, ideally keeping their passwords intact.

I requested the customer data(including encrypted passwords and salts) from our current host and they refused saying that it is against PCI compliance.

How would you provide this data to a second party while keeping to PCI best practices?

I've tried searching but I can't find the relevent information or PCI documentation for this use-case.

Gil Hamilton
  • 11,973
  • 28
  • 51
alexwatever
  • 576
  • 1
  • 7
  • 20
  • 3
    PCI-DSS does not prohibit the transfer of protected data if you are entitled to access the data. However there are strict regulatory policies regarding the way data are transmitted. I don't have all the details for the actual version but you might find some enlightenment here: [PCI-DSS-documentation](https://www.pcisecuritystandards.org/document_library) – Frank Feb 16 '16 at 09:31
  • Thanks for the info mate, good to know it's just a transfer issue. I'll do some more reading there and try and find the relevant section. – alexwatever Feb 16 '16 at 10:31
  • 1
    Your welcome. I searched my old documentation links (it's been a while since I had something to do with it) and found something else that might be helpful: [Managed File Transfers](http://www.coviantsoftware.com/documents/how-to-comply-with-pci-dss.pdf) – Frank Feb 16 '16 at 10:37
  • 1
    Are you actually transferring encrypted card numbers? - If not its hard to see why the data you are transferring is within the scope of PCI at all. If there is an issue that the data you want is encrypted using keys *also* used to encrypt card numbers, just get then to export the non-PCI data to plaintext & recencrypt. – Alex K. Feb 16 '16 at 11:02
  • 1
    @Alex K. that's not correct. Cardholder data is in the scope of PCI-DSS as well as the cardnumbers. But regarding the key you're right. – Frank Feb 16 '16 at 11:10
  • 1
    I mean that its not card holder data if there is no PAN - this is the specific definition, I can export data from a PCI environment, and so long as there is no PAN the dump its out of scope. (Assuming you are not being naughty and storing CVC/full track data) – Alex K. Feb 16 '16 at 11:19
  • Thanks for the doc on managing file transfers, I'll work my way through it. And no there's actually no card data at all in what I'm requesting. Just encrypted passwords, the password salt, and an identifier to match my customer data.(customer ID or email) Would this be covered by PCI compliance at all? – alexwatever Feb 16 '16 at 11:36

0 Answers0