ISSUE:    C.1

Require PCI compliance in registration process



RAA Final Report (High Priority Item)


Each registrar is required to validate the following data upon receipt from a registrant:
(1) Technical Data
(a) IP addresses used to register domain names.
(b) E‐mail Address
(i) Verify that registration e‐mail address(es) are valid.
(2) Billing Data
(a) Validate billing data based on the payment card industry (PCI standards), at a minimum, the latest version of the PCI Data Security Standard (DSS). Each registrar is required to validate the following data upon receipt from a registrant:
(3) Contact Data
(a) Validate data is being provided by a human by using some anti‐automatic form submission technology (such as dynamic imaging) to ensure registrations are done by humans.
(b) Validate current address WHOIS data and correlate with in‐house fraudulent data for domain contact information and registrant’s IP address.
(4) Phone Numbers
(i) Confirm that point of contact phone numbers are valid using an automated system.
(ii) (ii) Cross validate the phone number area code with the provided address and credit card billing address

LEA original submission to the RAA-DT


Additional information regarding requests:
LEA Code of Conduct did not include this topic.
Registrars are to be required to avail themselves of commercially available identity verification systems that will provide for time-of-registration validations.

RAA-DT Final Report

Discussion Points

Date Discussed


Registrars seek specific input regarding any “commercially viable” validation mechanisms available:   
   -  Discussion regarding cost and effectiveness of various mechanisms;
   -  Discussion regarding information availability (e.g., cardholder data if credit card processing is outsourced);
   -  Discussion regarding variations from country to country in the availability of verification;
   -  Discussion regarding potential barrier to online businesses and other registrants in  developing countries and/or level playing field;
   -  Discussion of applicability of PCI Standard; suggestion for an ICANN Session in Costa Rica to identify and discuss in concrete terms available verification methods; 
   -  Discussion of ICANN request for verification of WHOIS;
   -  Discussion of inclusion of a WHOIS Appendix that could incorporate several phases of verification processes, over time, including overall metrics to measure effectiveness.

Discuss the redlines to the WHOIS Appendix circulated by Registrars  pertaining to verification of WHOIS at registration.

Questions regarding applicability of PCI standard to WHOIS verification.

Registrars noted that PCI is not a data validation standard, that they would like to understand what the IP addresses ought to be validated against, and that there are legitimate reasons why registrations are created through automated means

18 Nov 2011 

8 Dec 2011

20 Dec 2011
5 Jan 2011

17 Jan 2012

17 Jan 2012

27 Jan 2012

Proposed Text



Under Discussion




Comments may be submitted using the “Add Comment” feature below.


To Leave a Comment on This Page:  Any user logged into Confluence will see an "Add Comment" button at the bottom of this page, which can be used to leave a comment.  To log in, click the "Log In" button on the gray control bar toward the top of the page, and enter your user name and password.  If you do not have a user name and password, please e-mail with "Log In" in the subject line. 

  • No labels