Educause Security Discussion mailing list archives
Re: Inbound Email Policy & PCIDSS
From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Thu, 19 Nov 2009 09:31:37 -0500
Hi, I don't want to be too picky here, and I'm not blaming the messenger (you) .. but this is really dumb .. it's like a policy that says "don't send us spam". I would ask your ASV for some documentation from the PCI people that says that you are responsible for unsolicited receipt of a credit card number .. I would bet that they will not be able to produce it. Now, if your business process asks for a credit card to be sent to you in an email, they I would say that you have a problem - so maybe you should have a policy that says you cannot ASK for a credit card to be sent in an unencrypted email - that I might believe. If I wanted to screw with you for some reason, all I would have to do would be to put a credit card number in this email (an expired one, of course :-) - and then call up the PCI people and turn you in ... and then, would they have to come after me because I broke your policy - I don't think so. Maybe I am completely missing some very subtle point of this argument - please enlighten me - and when you get the document from your ASV, I would hope that you could share it with us. IANAL - and please do not take this as a Kill the Messenger message - I really don't get it. Thanks, Joel --On Wednesday, November 18, 2009 7:36 PM -0500 "Witmer, Robert" <r.witmer () SNHU EDU> wrote:
Thanks to all for the responses. Like most (if not all) of you, we have a policy in place regarding the use of email for sensitive data. This includes the solicitation of credit card information via email. The ASV was specific in asking for a written policy with regards to INBOUND email containing credit card information (stating the basis of the concern is that if we receive a single email containing a credit card number, our email server is considered electronic storage of credit card information... whether we requested it or not). I am not debating the premise of electronic storage in his example... I was just wondering if others had to write a policy specifically addressing INBOUND email containing credit card info. The ASV was not condoning or suggesting we use email to send or receive credit card info. But by asking for a written policy, was he implying we should scan and filter INBOUND email that might contain a credit card number? This might not be a bad idea, but how many edu's can/will do this? And if we don't scan/filter, I'm not sure how a written policy on INBOUND email containing credit cards changes the fact that our email system may be storing a credit card number that someone sent to us. So if anyone has a written policy on INBOUND email containing credit card info, I'd be grateful to see it. Regards, Bob ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Witmer, Robert [r.witmer () SNHU EDU] Sent: Wednesday, November 18, 2009 3:35 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Inbound Email Policy & PCIDSS I was having a discussion this morning with my ASV. He stated that if our email system accepted inbound email with credit card information, they considered it electronic storage of credit card info. However, if the university had a written policy on emails containing credit card info, that changed the circumstances as far as the level of SAQ we are required to submit for that particular processor. I will concede the premise of electronic storage of credit card info in an email system. My question is "does anyone have a written email policy that specifically addresses inbound emails with credit cards?" And if so, would you care to share it? Regards, Bob Please consider the environment before printing this e-mail.
Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel
Current thread:
- Inbound Email Policy & PCIDSS Witmer, Robert (Nov 18)
- <Possible follow-ups>
- Re: Inbound Email Policy & PCIDSS Brad Judy (Nov 18)
- Re: Inbound Email Policy & PCIDSS Conor McGrath (Nov 18)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 18)
- Re: Inbound Email Policy & PCIDSS Witmer, Robert (Nov 18)
- Re: Inbound Email Policy & PCIDSS Zach Jansen (Nov 19)
- Re: Inbound Email Policy & PCIDSS Daniel Adinolfi (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS Basgen, Brian (Nov 19)
- Re: Inbound Email Policy & PCIDSS Bob Bayn (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS John Ladwig (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)