Educause Security Discussion mailing list archives
Re: Inbound Email Policy & PCIDSS
From: Zach Jansen <zjanse20 () CALVIN EDU>
Date: Thu, 19 Nov 2009 08:36:34 -0500
It doesn't seem feasible to me to write a policy about inbound CC#'s and really expect that to stop people from sending you CC#'s. I'm not saying you shouldn't do it, but unless you have a technical control in place that refuses CC#'s sent to your email system you're going to have CC#'s in your email system. Very little of it may be orders placed via email, ie sent to your "merchants" on campus. However, you will have students getting CC#'s from their parents, faculty and staff sending CC#'s to their spouses, and variations on that general theme. Are you really responsible for these as a merchant? That doesn't really make sense to me. But I am not a QSA or an ASV or an expert on PCI. Zach -- Zach Jansen Information Security Officer Calvin College Phone: 616.526.6776 Fax: 616.526.8550
On 11/18/2009 at 7:36 PM, in message
<EB4A14AA71CE71448233A27D6E0953B101DF987EF330 () SNHU-CCR-A snhu edu>, "Witmer, Robert" <r.witmer () SNHU EDU> wrote:
Thanks to all for the responses. Like most (if not all) of you, we have a policy in place regarding the use of email for sensitive data. This includes the solicitation of credit card information via email. The ASV was specific in asking for a written policy with regards to INBOUND email containing credit card information (stating the basis of the concern is that if we receive a single email containing a credit card number, our email server is considered electronic storage of credit card information... whether we requested it or not). I am not debating the premise of electronic storage in his example... I was just wondering if others had to write a policy specifically addressing INBOUND email containing credit card info. The ASV was not condoning or suggesting we use email to send or receive credit card info. But by asking for a written policy, was he implying we should scan and filter INBOUND email that might contain a credit card number? This might not be a bad idea, but how many edu's can/will do this? And if we don't scan/filter, I'm not sure how a written policy on INBOUND email containing credit cards changes the fact that our email system may be storing a credit card number that someone sent to us. So if anyone has a written policy on INBOUND email containing credit card info, I'd be grateful to see it. Regards, Bob
Current thread:
- Inbound Email Policy & PCIDSS Witmer, Robert (Nov 18)
- <Possible follow-ups>
- Re: Inbound Email Policy & PCIDSS Brad Judy (Nov 18)
- Re: Inbound Email Policy & PCIDSS Conor McGrath (Nov 18)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 18)
- Re: Inbound Email Policy & PCIDSS Witmer, Robert (Nov 18)
- Re: Inbound Email Policy & PCIDSS Zach Jansen (Nov 19)
- Re: Inbound Email Policy & PCIDSS Daniel Adinolfi (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS Basgen, Brian (Nov 19)
- Re: Inbound Email Policy & PCIDSS Bob Bayn (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS John Ladwig (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)