Educause Security Discussion mailing list archives

Re: Inbound Email Policy & PCIDSS

From: Zach Jansen <zjanse20 () CALVIN EDU>
Date: Thu, 19 Nov 2009 08:36:34 -0500

It doesn't seem feasible to me to write a policy about inbound CC#'s and really expect that to stop people from sending 
you CC#'s. I'm not saying you shouldn't do it, but unless you have a technical control in place that refuses CC#'s sent 
to your email system you're going to have CC#'s in your email system. Very little of it may be orders placed via email, 
ie sent to your "merchants" on campus. However, you will have students getting CC#'s from their parents, faculty and 
staff sending CC#'s to their spouses, and variations on that general theme. Are you really responsible for these as a 
merchant? That doesn't really make sense to me. But I am not a QSA or an ASV or an expert on PCI. 

Zach

-- 

Zach Jansen
Information Security Officer
Calvin College
Phone: 616.526.6776
Fax: 616.526.8550

On 11/18/2009 at 7:36 PM, in message

<EB4A14AA71CE71448233A27D6E0953B101DF987EF330 () SNHU-CCR-A snhu edu>, "Witmer,
Robert" <r.witmer () SNHU EDU> wrote:

Thanks to all for the responses.  Like most (if not all) of you, we have a 
policy in place regarding the use of email for sensitive data.  This includes 
the solicitation of credit card information via email.

The ASV was specific in asking for a written policy with regards to INBOUND 
email containing credit card information (stating the basis of the concern is 
that if we receive a single email containing a credit card number, our email 
server is considered electronic storage of credit card information... whether 
we requested it or not).  I am not debating the premise of electronic storage 
in his example...  I was just wondering if others had to write a policy 
specifically addressing INBOUND email containing credit card info.

The ASV was not condoning or suggesting we use email to send or receive 
credit card info.  But by asking for a written policy, was he implying we 
should scan and filter INBOUND email that might contain a credit card number? 
 This might not be a bad idea, but how many edu's can/will do this?  And if 
we don't scan/filter, I'm not sure how a written policy on INBOUND email 
containing credit cards changes the fact that our email system may be storing 
a credit card number that someone sent to us.

So if anyone has a written policy on INBOUND email containing credit card 
info, I'd be grateful to see it.
Regards,
Bob

Current thread:

Inbound Email Policy & PCIDSS Witmer, Robert (Nov 18)
- <Possible follow-ups>
- Re: Inbound Email Policy & PCIDSS Brad Judy (Nov 18)
- Re: Inbound Email Policy & PCIDSS Conor McGrath (Nov 18)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 18)
- Re: Inbound Email Policy & PCIDSS Witmer, Robert (Nov 18)
- Re: Inbound Email Policy & PCIDSS Zach Jansen (Nov 19)
- Re: Inbound Email Policy & PCIDSS Daniel Adinolfi (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS Basgen, Brian (Nov 19)
- Re: Inbound Email Policy & PCIDSS Bob Bayn (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS John Ladwig (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)