PCI/DSS Access Control FAIL - Signed Public Widget Documents Are Publicly Accessible

Report · Feb 02, 2017

WARNING! Anyone with a link on their website to a Public widget containing any PII data fields. Please be aware that the signed documents are not private to your institution and the signer.

PUBLIC widgets when Signed are Publicly accessible in all their glory for anyone who happens to come across the link that Adobe sends the Signer/Sender... For the love of all things binary, signed data containing personal information should (in almost every situation I can think of) never be PUBLICLY accessible!

It would be REALLY nice to have an option (set by default) to ensure that completed/signed Public Widget documents were accessible only by the parties needing to see the completed forms via authenticating to Adobe Sign. I don't know, kinda like data access control requirements mentioned in PCI/DSS for sensitive information... Or just generally a good idea?

Please implement this ASAP! For those of us who want to keep using your product securely.

https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_2.pdf

Requirement 7: Restrict access to cardholder data by business need-to-know To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities. Need to know is when access rights are granted to only the least amount of data and privileges needed to perform a job.

Report · Apr 26, 2017

Hi,

As per the desired workflow for Widgets the final signed copy is send only to the widget signer and the creator of the widget.

They can either download it or access it using the link which is included in the email.

In order to increase the security of the signers information the widget creator can add document opening password, signer authentications, masking of sensitive information and various other security options available within Adobe Sign.

If you need more help you can always contact support using the proper support options which you get once you login to your Adobe Sign account.

Let me know if you need any other information related with that.

Regards

Arun

Report · Sep 27, 2017

We use Adobe Sign to send out payment card authorizations, tied to specific contracts, and we mask all but the last four digits of the card number in the document. That means to process the document, we must have an authorized person export the first 12 or so digits, and pass them on to accounting. Once accounting tells us that card was processed successfully, we record the path to the audit trail PDF, and then delete the document (the audit trail is not deleted when you delete a document). Also, according to the PCI DSS, you may NEVER store the payment card CVV / security code (whether masked or not), so from our perspective everything we do is a work-around and less than what we'd like to see in this environment.

Ideally, Adobe Sign would have a specific set of processes it recommends to users so that they may maintain PCI compliance in their use of the system. I have yet to come across that. For instance, is it possible to decrypt the contents of an Adobe Sign document with masked fields outside of Adobe Sign? If so, how is that done? We know there are all kinds of workarounds for PDF security based on the fact that third party applications may not adopt the full Adobe standard. For the document to be truly secure, however, you would have to be sure that masked content CANNOT be easily accessed by these third parties. We don't know the answer to that, so we delete the documents.

This is a serious system limitation, based on just not knowing, and at some point we will add this function directly to our application so we don't use Adobe Sign for this purpose at all.