PCI/DSS Access Control FAIL - Signed Public Widget Documents Are Publicly Accessible

Question

WARNING! Anyone with a link on their website to a Public widget containing any PII data fields. Please be aware that the signed documents are not private to your institution and the signer.

PUBLIC widgets when Signed are Publicly accessible in all their glory for anyone who happens to come across the link that Adobe sends the Signer/Sender... For the love of all things binary, signed data containing personal information should (in almost every situation I can think of) never be PUBLICLY accessible!

It would be REALLY nice to have an option (set by default) to ensure that completed/signed Public Widget documents were accessible only by the parties needing to see the completed forms via authenticating to Adobe Sign. I don't know, kinda like data access control requirements mentioned in PCI/DSS for sensitive information... Or just generally a good idea?

Please implement this ASAP! For those of us who want to keep using your product securely.

https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_2.pdf

Requirement 7: Restrict access to cardholder data by business need-to-know To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities. Need to know is when access rights are granted to only the least amount of data and privileges needed to perform a job.

DMCKNIGHT · Answer

We use Adobe Sign to send out payment card authorizations, tied to specific contracts, and we mask all but the last four digits of the card number in the document. That means to process the document, we must have an authorized person export the first 12 or so digits, and pass them on to accounting. Once accounting tells us that card was processed successfully, we record the path to the audit trail PDF, and then delete the document (the audit trail is not deleted when you delete a document). Also, according to the PCI DSS, you may NEVER store the payment card CVV / security code (whether masked or not), so from our perspective everything we do is a work-around and less than what we'd like to see in this environment.

Ideally, Adobe Sign would have a specific set of processes it recommends to users so that they may maintain PCI compliance in their use of the system. I have yet to come across that. For instance, is it possible to decrypt the contents of an Adobe Sign document with masked fields outside of Adobe Sign? If so, how is that done? We know there are all kinds of workarounds for PDF security based on the fact that third party applications may not adopt the full Adobe standard. For the document to be truly secure, however, you would have to be sure that masked content CANNOT be easily accessed by these third parties. We don't know the answer to that, so we delete the documents.

This is a serious system limitation, based on just not knowing, and at some point we will add this function directly to our application so we don't use Adobe Sign for this purpose at all.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded