Educause Security Discussion mailing list archives
Re: Inbound Email Policy & PCIDSS
From: Daniel Adinolfi <dra1 () CORNELL EDU>
Date: Thu, 19 Nov 2009 09:02:31 -0500
On Nov 18, 2009, at 19:36, Witmer, Robert wrote:
The ASV was specific in asking for a written policy with regards to INBOUND email containing credit card information (stating the basis of the concern is that if we receive a single email containing a credit card number, our email server is considered electronic storage of credit card information... whether we requested it or not). I am not debating the premise of electronic storage in his example... I was just wondering if others had to write a policy specifically addressing INBOUND email containing credit card info.
IANAL, but... Our read on this is that there needs to be some kind of policy/ procedure in place for sanitization when credit card info (or any other sensitive data) is received through non-standard mechanisms. This would be true for email as well as for someone writing down all their credit card info on a whiteboard or slip of paper, for example. If you have those procedures in place (and you follow them), I think the likelihood of getting dinged by an auditor would be very low. We can't stop (stupidity) irresponsible behavior by our customers, but we can have methods for quickly cleaning up after their poor or uninformed judgement. With regard to email, I do not think you need to be proactively looking for credit card/PII in your email servers, but those who receive those email messages should know what to do to deal with messages that include such info when it accidentally lands in their inboxes. -Dan _________________ Daniel Adinolfi, CISSP Senior Security Engineer, IT Security Office Cornell University - Office of Information Technologies email: dra1 () cornell edu phone: 607-255-7657
Current thread:
- Inbound Email Policy & PCIDSS Witmer, Robert (Nov 18)
- <Possible follow-ups>
- Re: Inbound Email Policy & PCIDSS Brad Judy (Nov 18)
- Re: Inbound Email Policy & PCIDSS Conor McGrath (Nov 18)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 18)
- Re: Inbound Email Policy & PCIDSS Witmer, Robert (Nov 18)
- Re: Inbound Email Policy & PCIDSS Zach Jansen (Nov 19)
- Re: Inbound Email Policy & PCIDSS Daniel Adinolfi (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS Basgen, Brian (Nov 19)
- Re: Inbound Email Policy & PCIDSS Bob Bayn (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS John Ladwig (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)