Educause Security Discussion mailing list archives
Re: Inbound Email Policy & PCIDSS
From: Conor McGrath <conormc () UCHICAGO EDU>
Date: Wed, 18 Nov 2009 15:16:43 -0600
Witmer, Robert wrote, on 11/18/09 2:35 PM:
I was having a discussion this morning with my ASV. He stated that if our email system accepted inbound email with credit card information, they considered it electronic storage of credit card info. However, if the university had a written policy on emails containing credit card info, that changed the circumstances as far as the level of SAQ we are required to submit for that particular processor.I will concede the premise of electronic storage of credit card info in an email system. My question is “does anyone have a written email policy that specifically addresses inbound emails with credit cards?” And if so, would you care to share it?
By policy we forbid acceptance of credit cards via email. See point #8. http://adminet.uchicago.edu/admincompt/finpolic/1510.shtml Also, note that this is not an IT policy, but a policy from the CFO. -Conor -- Conor McGrath Enterprise Information Security The University of Chicago Phone: (773)702-7611
Current thread:
- Inbound Email Policy & PCIDSS Witmer, Robert (Nov 18)
- <Possible follow-ups>
- Re: Inbound Email Policy & PCIDSS Brad Judy (Nov 18)
- Re: Inbound Email Policy & PCIDSS Conor McGrath (Nov 18)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 18)
- Re: Inbound Email Policy & PCIDSS Witmer, Robert (Nov 18)
- Re: Inbound Email Policy & PCIDSS Zach Jansen (Nov 19)
- Re: Inbound Email Policy & PCIDSS Daniel Adinolfi (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS Basgen, Brian (Nov 19)
- Re: Inbound Email Policy & PCIDSS Bob Bayn (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS John Ladwig (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)