PCI-Compliant Membership Provider for ASP.Net?

Question

The off-the-shelf ASP.net Membership Provider and tables do not appear to be PCI-compliant. Has anyone already implemented a PCI-Compliant Membership Provider for ASP.net? In particular, I am looking at the requirements for section 8.5:

• 8.5.2: Is user identity verified before performing password resets for user requests made via non-face-to-face method?

  For this I am thinking an email with a reset token valid for no more than X hours. The default provider just generates a random value and sends it via email (although we could enable Security Question/Answer to fulfill this requirement).

• 8.5.5: Are inactive user accounts over 90 days old either removed or disabled?

  Default provider does not support this action. We could tie into the OnLoggingIn to do some checks prior to allowing to the login attempt to proceed.

• 8.5.9: Are use passwords changed at least every 90 days?

  Should be able to check this OnLoggedIn. If last password date > 90, redirect to the password change form instead of the desired content.

• 8.5.12: Must an individual submit a new password that is different from any of the last four passwords he or she has used?

  I do not believe the membership tables for the default providers support this. We could add a password history table and stick an entry in every time someone creates a new password. These could then be checked in the OnChangingPassword event of the ChangePassword control.

I am fully capable of doing this myself, but if there is already something out there I'd like to take advantage.

Answer 1

Couldn't find any out-of-box solutions, so will be following James's advice and writing my own.