Re: Inbound Email Policy & PCIDSS

[Brad Judy <win-hied () BRADJUDY COM>]

Are you talking about an encrypted email system?  Unencrypted email is not
an acceptable form of transmission of credit card information under PCI-DSS
(as per 4.1 - use of encryption in transit), and an ASV should never be
giving advice that suggests it is appropriate.



The scenarios that decide which SAQ you use are pretty well prescribed in
the PCI documentation.  Perhaps if you were a swipe-and-dial environment,
but happened to receive some card numbers via email and were filling out the
full form for that reason (completing this form in this environment would
note a lack of compliance to 4.1).  Then, if you banned the process of using
email for card numbers (to become compliant) and ran a non-networked
swipe-and-dial payment system, you would be able to use the "short form" for
the SAQ.



Brad Judy



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Witmer, Robert
Sent: Wednesday, November 18, 2009 3:35 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Inbound Email Policy & PCIDSS



I was having a discussion this morning with my ASV.  He stated that if our
email system accepted inbound email with credit card information, they
considered it electronic storage of credit card info.  However, if the
university had a written policy on emails containing credit card info, that
changed the circumstances as far as the level of SAQ we are required to
submit for that particular processor.



I will concede the premise of electronic storage of credit card info in an
email system.  My question is "does anyone have a written email policy that
specifically addresses inbound emails with credit cards?"  And if so, would
you care to share it?



Regards,

Bob


Please consider the environment before printing this e-mail.