Our security auditor is an idiot. How do I give him the information he wants?
First, DON'T capitulate. He is not only an idiot but DANGEROUSLY wrong. In fact, releasing this information would violate the PCI standard (which is what I'm assuming the audit is for since it's a payment processor) along with every other standard out there and just plain common sense. It would also expose your company to all sorts of liabilities.
The next thing I would do is send an email to your boss saying he needs to get corporate counsel involved to determine the legal exposure the company would be facing by proceeding with this action.
This last bit is up to you, but I would contact VISA with this information and get his PCI auditor status pulled.
As someone who has been through the audit procedure with Price Waterhouse Coopers for a classified government contract, I can assure you, this is totally out of the question and this guy is insane.
When PwC wanted to check our password strength they:
- Asked to see our password strength algorithms
- Ran test units against our algorithms to check that they would deny poor passwords
- Asked to see our encryption algorithms to ensure that they couldn't be reversed or un-encrypted (even by rainbow tables), even by someone who had full access to every aspect of the system
- Checked to see that previous passwords were cached to ensure that they couldn't be re-used
- Asked us for permission (which we granted) for them to attempt to break into the network and related systems using non-social engineering techniques (things like xss and non-0 day exploits)
If I had even hinted that I could show them what the users passwords were over the last 6 months, they would have shut us out of the contract immediately.
If it were possible to provide these requirements, you would instantly fail every single audit worth having.
Update: Your response email looks good. Far more professional than anything I would have written.