Re: Inbound Email Policy & PCIDSS

[Joel Rosenblatt <joel () COLUMBIA EDU>]

Hi,

I don't want to be too picky here, and I'm not blaming the messenger (you) .. but this is really dumb .. it's like a policy that says 
"don't send us spam".

I would ask your ASV for some documentation from the PCI people that says that you are responsible for unsolicited 
receipt of a credit card number .. I would
bet that they will not be able to produce it.

Now, if your business process asks for a credit card to be sent to you in an email, they I would say that you have a 
problem - so maybe you should have a
policy that says you cannot ASK for a credit card to be sent in an unencrypted email - that I might believe.

If I wanted to screw with you for some reason, all I would have to do would be to put a credit card number in this 
email (an expired one, of course :-) - and
then call up the PCI people and turn you in ... and then, would they have to come after me because I broke your policy - I 
don't think so.

Maybe I am completely missing some very subtle point of this argument - please enlighten me - and when you get the 
document from your ASV, I would hope that
you could share it with us.

IANAL - and please do not take this as a Kill the Messenger message - I really don't get it.

Thanks,
Joel

--On Wednesday, November 18, 2009 7:36 PM -0500 "Witmer, Robert" <r.witmer () SNHU EDU> wrote:

> Thanks to all for the responses.  Like most (if not all) of you, we have a policy in place regarding the use of email 
> for sensitive data.  This includes the
> solicitation of credit card information via email.
>
> The ASV was specific in asking for a written policy with regards to INBOUND email containing credit card information 
> (stating the basis of the concern is
> that if we receive a single email containing a credit card number, our email server is considered electronic storage of 
> credit card information... whether we
> requested it or not).  I am not debating the premise of electronic storage in his example...  I was just wondering if 
> others had to write a policy
> specifically addressing INBOUND email containing credit card info.
>
> The ASV was not condoning or suggesting we use email to send or receive credit card info.  But by asking for a written 
> policy, was he implying we should scan
> and filter INBOUND email that might contain a credit card number?  This might not be a bad idea, but how many edu's can/will 
> do this?  And if we don't
> scan/filter, I'm not sure how a written policy on INBOUND email containing credit cards changes the fact that our email 
> system may be storing a credit card
> number that someone sent to us.
>
> So if anyone has a written policy on INBOUND email containing credit card info, I'd be grateful to see it.
> Regards,
> Bob
> ________________________________
> From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Witmer, Robert 
> [r.witmer () SNHU EDU]
> Sent: Wednesday, November 18, 2009 3:35 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Inbound Email Policy & PCIDSS
>
> I was having a discussion this morning with my ASV.  He stated that if our email system accepted inbound email with 
> credit card information, they considered
> it electronic storage of credit card info.  However, if the university had a written policy on emails containing credit 
> card info, that changed the
> circumstances as far as the level of SAQ we are required to submit for that particular processor.
>
> I will concede the premise of electronic storage of credit card info in an email system.  My question is "does anyone 
> have a written email policy that
> specifically addresses inbound emails with credit cards?"  And if so, would you care to share it?
>
> Regards,
> Bob
>
> Please consider the environment before printing this e-mail.



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel