Page History

ISSUE:    C.1

Require PCI compliance in registration process

Priority:
 

RAA Final Report (High Priority Item)

Issue/Request

Each registrar is required to validate the following data upon receipt from a registrant:
(1) Technical Data
(a) IP addresses used to register domain names.
(b) E‐mail Address
(i) Verify that registration e‐mail address(es) are valid.
(2) Billing Data
(a) Validate billing data based on the payment card industry (PCI standards), at a minimum, the latest version of the PCI Data Security Standard (DSS). Each registrar is required to validate the following data upon receipt from a registrant:
(3) Contact Data
(a) Validate data is being provided by a human by using some anti‐automatic form submission technology (such as dynamic imaging) to ensure registrations are done by humans.
(b) Validate current address WHOIS data and correlate with in‐house fraudulent data for domain contact information and registrant’s IP address.
(4) Phone Numbers
(i) Confirm that point of contact phone numbers are valid using an automated system.
(ii) (ii) Cross validate the phone number area code with the provided address and credit card billing address

Source: 
LEA original submission to the RAA-DT

Notes

Additional information regarding requests:
LEA
LEA Code of Conduct did not include this topic.
RAA-DT
Registrars are to be required to avail themselves of commercially available identity verification systems that will provide for time-of-registration validations.

RAA-DT Final Report

Discussion Points

Date Discussed

Registrars seek specific input regarding any “commercially viable” validation mechanisms available:   
   -  Discussion regarding cost and effectiveness of various mechanisms;
   -  Discussion regarding information availability (e.g., cardholder data if credit card processing is outsourced);
   -  Discussion regarding variations from country to country in the availability of verification;
   -  Discussion regarding potential barrier to online businesses and other registrants in  developing countries and/or level playing field;
   -  Discussion of applicability of PCI Standard; suggestion for an ICANN Session in Costa Rica to identify and discuss in concrete terms available verification methods; 
   -  Discussion of ICANN request for verification of WHOIS;
   -  Discussion of inclusion of a WHOIS Appendix that could incorporate several phases of verification processes, over time, including overall metrics to measure effectiveness.

Discuss the redlines to the WHOIS Appendix circulated by Registrars  pertaining to verification of WHOIS at registration.

Questions regarding applicability of PCI standard to WHOIS verification.

Registrars noted that PCI is not a data validation standard, that they would like to understand what the IP addresses ought to be validated against, and that there are legitimate reasons why registrations are created through automated means

18 Nov 2011 








8 Dec 2011

20 Dec 2011
5 Jan 2011


17 Jan 2012


17 Jan 2012

27 Jan 2012

Proposed Text

Open

Status/Outcome

Under Discussion

Explanation

Open

COMMENTS:

Comments may be submitted using the “Add Comment” feature below.