Re: Inbound Email Policy & PCIDSS

["Basgen, Brian" <bbasgen () PIMA EDU>]

Joel,

 I don't think Randy is looking for policies that seek to manage how the internet behaves.

 There is a legitimate need to define procedures on how staff should respond when credit cards are received. We 
discussed this with our Student Accounts department a few years ago. No policy/procedure came out of our office, since 
we identified this as a business process within their department. We came out of the discussions with the agreement 
that their staff would have a defined way to respond when students send CC's over e-mail; e.g. tell the student not to 
do it in the future, explain our alternate methods, and so on. 

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
Office: 520-206-4873


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel 
Rosenblatt
Sent: Thursday, November 19, 2009 7:32 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Inbound Email Policy & PCIDSS

Hi,

I don't want to be too picky here, and I'm not blaming the messenger (you) .. but this is really dumb .. it's like a 
policy that says "don't send us spam".

I would ask your ASV for some documentation from the PCI people that says that you are responsible for unsolicited 
receipt of a credit card number .. I would 
bet that they will not be able to produce it.

Now, if your business process asks for a credit card to be sent to you in an email, they I would say that you have a 
problem - so maybe you should have a 
policy that says you cannot ASK for a credit card to be sent in an unencrypted email - that I might believe.

If I wanted to screw with you for some reason, all I would have to do would be to put a credit card number in this 
email (an expired one, of course :-) - and 
then call up the PCI people and turn you in ... and then, would they have to come after me because I broke your policy 
- I don't think so.

Maybe I am completely missing some very subtle point of this argument - please enlighten me - and when you get the 
document from your ASV, I would hope that 
you could share it with us.

IANAL - and please do not take this as a Kill the Messenger message - I really don't get it.

Thanks,
Joel

--On Wednesday, November 18, 2009 7:36 PM -0500 "Witmer, Robert" <r.witmer () SNHU EDU> wrote:

> Thanks to all for the responses.  Like most (if not all) of you, we have a policy in place regarding the use of email 
> for sensitive data.  This includes the
> solicitation of credit card information via email.
>
> The ASV was specific in asking for a written policy with regards to INBOUND email containing credit card information 
> (stating the basis of the concern is
> that if we receive a single email containing a credit card number, our email server is considered electronic storage 
> of credit card information... whether we
> requested it or not).  I am not debating the premise of electronic storage in his example...  I was just wondering if 
> others had to write a policy
> specifically addressing INBOUND email containing credit card info.
>
> The ASV was not condoning or suggesting we use email to send or receive credit card info.  But by asking for a 
> written policy, was he implying we should scan
> and filter INBOUND email that might contain a credit card number?  This might not be a bad idea, but how many edu's 
> can/will do this?  And if we don't
> scan/filter, I'm not sure how a written policy on INBOUND email containing credit cards changes the fact that our 
> email system may be storing a credit card
> number that someone sent to us.
>
> So if anyone has a written policy on INBOUND email containing credit card info, I'd be grateful to see it.
> Regards,
> Bob
> ________________________________
> From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Witmer, 
> Robert [r.witmer () SNHU EDU]
> Sent: Wednesday, November 18, 2009 3:35 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Inbound Email Policy & PCIDSS
>
> I was having a discussion this morning with my ASV.  He stated that if our email system accepted inbound email with 
> credit card information, they considered
> it electronic storage of credit card info.  However, if the university had a written policy on emails containing 
> credit card info, that changed the
> circumstances as far as the level of SAQ we are required to submit for that particular processor.
>
> I will concede the premise of electronic storage of credit card info in an email system.  My question is "does anyone 
> have a written email policy that
> specifically addresses inbound emails with credit cards?"  And if so, would you care to share it?
>
> Regards,
> Bob
>
> Please consider the environment before printing this e-mail.



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel