Compliance fail on email clear text login port 25

This forum is dedicated to answering AbleCommerce 7.0 questions about PCI certification and compliance.
Post Reply
ThinkNoodle
Lieutenant, Jr. Grade (LT JG)
Lieutenant, Jr. Grade (LT JG)
Posts: 33
Joined: Fri Oct 10, 2008 7:14 am
Location: UK

Compliance fail on email clear text login port 25

Post by ThinkNoodle » Wed Feb 20, 2013 6:44 am

Hi we're currently failing on one PCI Compliance point, our mailserver allows cleartext login on port 25.
After speaking to Security Metrics today they say this is "flagged up" because some ecommerce systems send credit/debit card numbers this way...
We do not include payment numbers/details in any emails to our customers sent via AbleCommerce and I'm assuming that AbleCommerce does not send any card details via port 25 when processing an order...
Can anyone confirm this?
Thanks
Matt

User avatar
mikek
Commander (CMDR)
Commander (CMDR)
Posts: 112
Joined: Wed Oct 15, 2008 9:30 pm
Location: Boston, MA
Contact:

Re: Compliance fail on email clear text login port 25

Post by mikek » Wed Feb 20, 2013 11:04 am

Hi Matt,

Port number, smtp host and other email settings can be configured trough AbleCommerce admin interface (Administration > Configure > Email > Settings). You can configure
any port number with ssl. By default email templates do not contain credit card or other sensitive information. You can also customize email templates
(Administration > Configure > Email > Templates ) and include customer's and order information using NVelocity template syntax.

Out of the box AbleCommerce is fully PCI compliant and meets all PCI-DSS requirements. The hosting environment configuration in which an AbleCommerce storefront is running
is completely different subject and must be properly configured in order to meet PCI SAQ-C and SAQ-D requirements.
Mike Kolev

Post Reply