ISSUE:    A.1.b

Registrar obligations to collect, securely maintain and validate data

 

Priority:
 

RAA Final Report:  N/A

 

Issue/Request

LEA:
Registrars and all associated third-party beneficiaries to Registrars are required to collect and securely maintain the following data:
(i) Source IP address;
(ii) HTTP Request Headers
(a) From
(b) Accept
(c) Accept‐Encoding
(d) Accept‐Language
(e) User‐Agent
(f) Referrer
(g) Authorization
(h) Charge‐To
(i) If‐Modified‐Since
(iii) Collect and store the following data from registrants:
(a) First Name:
(b) Last Name:
(c) E‐mail Address:
(d) Alternate E‐mail address
(e) Company Name:
(f) Position:
(g) Address 1:
(h) Address 2:
(i) City:
(j) Country:
(k) State:
(l) Enter State:
(m) Zip:
(n) Phone Number:
(o) Additional Phone:
(p) Fax:
(q) Alternative Contact First Name:
(r) Alternative Contact Last Name:
(s) Alternative Contact E‐mail:
(t) Alternative Contact Phone:
(iv) Collect data on all additional add‐on services purchased during the registration process.
(v) All financial transactions, including, but not limited to credit card, payment information.
Each registrar is required to validate the following data upon receipt from a registrant:
(1) Technical Data
(a) IP addresses used to register domain names.
(b) E‐mail Address
(i) Verify that registration e‐mail address(es) are valid.
(2) Billing Data
(a) Validate billing data based on the payment card industry (PCI standards), at a minimum, the latest version of the PCI Data Security Standard (DSS).
(3) Contact Data
(a) Validate data is being provided by a human by using some anti‐automatic form submission technology (such as dynamic imaging) to ensure registrations are done by humans.
(b) Validate current address WHOIS data and correlate with in‐house fraudulent data for domain contact information and registrant’s IP address.
(4) Phone Numbers
(i) Confirm that point of contact phone numbers are valid using an automated system.
(ii) Cross validate the phone number area code with the provided address and credit card billing address

Source: 
LEA original Request to RAA-DT

Notes

Additional information regarding requests:

  • Not included in LEA Code of Conduct

Source: 


Discussion Points

Description

Date Discussed

 

ICANN to seek clarification regarding the request, e.g., definition of “all associated third party beneficiaries” and other questions.  Will defer discussion until ICANN receives further input from LEA.

Discussion of LE clarification (request pertains to reseller related info); discussion of reseller actions; discussion of PCI standard applicability;  discussion regarding availability and relevance of listed data.

Discussion of ICANN’s request for Registrar Verification of WHOIS Information.

Registrars to identify the feasibility of collection/maintenance of points of information identified in LE Request; discussed how to address reseller issue.

Discussion of maintenance of  IP addresses and appropriate times for maintaining them.

Registrars generally amenable to retaining available data but raised concern about impracticality of maintaining certain log data indefinitely.

Question raised about scope of LE recommendation to collect data related to “add-on services” as some add-on services may be entirely unrelated to domain registrations.

Discussion of LE clarification with regard to data maintenance

Discussion of LE clarificagtion with regard to validation of data

18 Nov 2011



8 Dec 2011



20 Dec 2011

17 Jan 2012


23 Jan 2012 

16 May 2012 

16 May  2012

Proposed Text

Open

 

Status/Outcome

Under Discussion

 

Explanation

Open

 

COMMENTS:

Comments may be submitted using the “Add Comment” feature below.

 






To Leave a Comment on This Page:  Any user logged into Confluence will see an "Add Comment" button at the bottom of this page, which can be used to leave a comment.  To log in, click the "Log In" button on the gray control bar toward the top of the page, and enter your user name and password.  If you do not have a user name and password, please e-mail seth.greene@icann.org with "Log In" in the subject line. 

  • No labels