Educause Security Discussion mailing list archives

Re: Inbound Email Policy & PCIDSS

From: "Witmer, Robert" <r.witmer () SNHU EDU>
Date: Wed, 18 Nov 2009 19:36:51 -0500

Thanks to all for the responses.  Like most (if not all) of you, we have a policy in place regarding the use of email 
for sensitive data.  This includes the solicitation of credit card information via email.

The ASV was specific in asking for a written policy with regards to INBOUND email containing credit card information 
(stating the basis of the concern is that if we receive a single email containing a credit card number, our email 
server is considered electronic storage of credit card information... whether we requested it or not).  I am not 
debating the premise of electronic storage in his example...  I was just wondering if others had to write a policy 
specifically addressing INBOUND email containing credit card info.

The ASV was not condoning or suggesting we use email to send or receive credit card info.  But by asking for a written 
policy, was he implying we should scan and filter INBOUND email that might contain a credit card number?  This might 
not be a bad idea, but how many edu's can/will do this?  And if we don't scan/filter, I'm not sure how a written policy 
on INBOUND email containing credit cards changes the fact that our email system may be storing a credit card number 
that someone sent to us.

So if anyone has a written policy on INBOUND email containing credit card info, I'd be grateful to see it.
Regards,
Bob
________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Witmer, Robert 
[r.witmer () SNHU EDU]
Sent: Wednesday, November 18, 2009 3:35 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Inbound Email Policy & PCIDSS

I was having a discussion this morning with my ASV.  He stated that if our email system accepted inbound email with 
credit card information, they considered it electronic storage of credit card info.  However, if the university had a 
written policy on emails containing credit card info, that changed the circumstances as far as the level of SAQ we are 
required to submit for that particular processor.

I will concede the premise of electronic storage of credit card info in an email system.  My question is “does anyone 
have a written email policy that specifically addresses inbound emails with credit cards?”  And if so, would you care 
to share it?

Regards,
Bob

Please consider the environment before printing this e-mail.

Current thread:

Inbound Email Policy & PCIDSS Witmer, Robert (Nov 18)
- <Possible follow-ups>
- Re: Inbound Email Policy & PCIDSS Brad Judy (Nov 18)
- Re: Inbound Email Policy & PCIDSS Conor McGrath (Nov 18)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 18)
- Re: Inbound Email Policy & PCIDSS Witmer, Robert (Nov 18)
- Re: Inbound Email Policy & PCIDSS Zach Jansen (Nov 19)
- Re: Inbound Email Policy & PCIDSS Daniel Adinolfi (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS Basgen, Brian (Nov 19)
- Re: Inbound Email Policy & PCIDSS Bob Bayn (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS John Ladwig (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)