Page 1 of 1

Compliance fail on email clear text login port 25

Posted: Wed Feb 20, 2013 6:44 am
by ThinkNoodle
Hi we're currently failing on one PCI Compliance point, our mailserver allows cleartext login on port 25.
After speaking to Security Metrics today they say this is "flagged up" because some ecommerce systems send credit/debit card numbers this way...
We do not include payment numbers/details in any emails to our customers sent via AbleCommerce and I'm assuming that AbleCommerce does not send any card details via port 25 when processing an order...
Can anyone confirm this?
Thanks
Matt

Re: Compliance fail on email clear text login port 25

Posted: Wed Feb 20, 2013 11:04 am
by mikek
Hi Matt,

Port number, smtp host and other email settings can be configured trough AbleCommerce admin interface (Administration > Configure > Email > Settings). You can configure
any port number with ssl. By default email templates do not contain credit card or other sensitive information. You can also customize email templates
(Administration > Configure > Email > Templates ) and include customer's and order information using NVelocity template syntax.

Out of the box AbleCommerce is fully PCI compliant and meets all PCI-DSS requirements. The hosting environment configuration in which an AbleCommerce storefront is running
is completely different subject and must be properly configured in order to meet PCI SAQ-C and SAQ-D requirements.