Educause Security Discussion mailing list archives

Re: Inbound Email Policy & PCIDSS

From: Conor McGrath <conormc () UCHICAGO EDU>
Date: Wed, 18 Nov 2009 15:16:43 -0600

Witmer, Robert wrote, on 11/18/09 2:35 PM:

I was having a discussion this morning with my ASV. He stated that ifour email system accepted inbound email with credit card information,they considered it electronic storage of credit card info. However, ifthe university had a written policy on emails containing credit cardinfo, that changed the circumstances as far as the level of SAQ we arerequired to submit for that particular processor.
I will concede the premise of electronic storage of credit card info inan email system. My question is “does anyone have a written emailpolicy that specifically addresses inbound emails with credit cards?”And if so, would you care to share it?


By policy we forbid acceptance of credit cards via email. See point #8.

http://adminet.uchicago.edu/admincompt/finpolic/1510.shtml

Also, note that this is not an IT policy, but a policy from the CFO.

-Conor

--
Conor McGrath
Enterprise Information Security
The University of Chicago
Phone: (773)702-7611

Current thread:

Inbound Email Policy & PCIDSS Witmer, Robert (Nov 18)
- <Possible follow-ups>
- Re: Inbound Email Policy & PCIDSS Brad Judy (Nov 18)
- Re: Inbound Email Policy & PCIDSS Conor McGrath (Nov 18)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 18)
- Re: Inbound Email Policy & PCIDSS Witmer, Robert (Nov 18)
- Re: Inbound Email Policy & PCIDSS Zach Jansen (Nov 19)
- Re: Inbound Email Policy & PCIDSS Daniel Adinolfi (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS Basgen, Brian (Nov 19)
- Re: Inbound Email Policy & PCIDSS Bob Bayn (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS John Ladwig (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)