Re: Inbound Email Policy & PCIDSS

[Daniel Adinolfi <dra1 () CORNELL EDU>]

On Nov 18, 2009, at 19:36, Witmer, Robert wrote:

> The ASV was specific in asking for a written policy with regards to
> INBOUND email containing credit card information (stating the basis
> of the concern is that if we receive a single email containing a
> credit card number, our email server is considered electronic
> storage of credit card information... whether we requested it or
> not).  I am not debating the premise of electronic storage in his
> example...  I was just wondering if others had to write a policy
> specifically addressing INBOUND email containing credit card info.

IANAL, but...

Our read on this is that there needs to be some kind of policy/
procedure in place for sanitization when credit card info (or any
other sensitive data) is received through non-standard mechanisms.
This would be true for email as well as for someone writing down all
their credit card info on a whiteboard or slip of paper, for example.

If you have those procedures in place (and you follow them), I think
the likelihood of getting dinged by an auditor would be very low.  We
can't stop (stupidity) irresponsible behavior by our customers, but we
can have methods for quickly cleaning up after their poor or
uninformed judgement.

With regard to email, I do not think you need to be proactively
looking for credit card/PII in your email servers, but those who
receive those email messages should know what to do to deal with
messages that include such info when it accidentally lands in their
inboxes.

-Dan


_________________
Daniel Adinolfi, CISSP
Senior Security Engineer, IT Security Office
Cornell University - Office of Information Technologies
email: dra1 () cornell edu   phone: 607-255-7657