Educause Security Discussion mailing list archives
Re: Inbound Email Policy & PCIDSS
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Thu, 19 Nov 2009 08:23:44 -0700
Joel, I don't think Randy is looking for policies that seek to manage how the internet behaves. There is a legitimate need to define procedures on how staff should respond when credit cards are received. We discussed this with our Student Accounts department a few years ago. No policy/procedure came out of our office, since we identified this as a business process within their department. We came out of the discussions with the agreement that their staff would have a defined way to respond when students send CC's over e-mail; e.g. tell the student not to do it in the future, explain our alternate methods, and so on. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College Office: 520-206-4873 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel Rosenblatt Sent: Thursday, November 19, 2009 7:32 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Inbound Email Policy & PCIDSS Hi, I don't want to be too picky here, and I'm not blaming the messenger (you) .. but this is really dumb .. it's like a policy that says "don't send us spam". I would ask your ASV for some documentation from the PCI people that says that you are responsible for unsolicited receipt of a credit card number .. I would bet that they will not be able to produce it. Now, if your business process asks for a credit card to be sent to you in an email, they I would say that you have a problem - so maybe you should have a policy that says you cannot ASK for a credit card to be sent in an unencrypted email - that I might believe. If I wanted to screw with you for some reason, all I would have to do would be to put a credit card number in this email (an expired one, of course :-) - and then call up the PCI people and turn you in ... and then, would they have to come after me because I broke your policy - I don't think so. Maybe I am completely missing some very subtle point of this argument - please enlighten me - and when you get the document from your ASV, I would hope that you could share it with us. IANAL - and please do not take this as a Kill the Messenger message - I really don't get it. Thanks, Joel --On Wednesday, November 18, 2009 7:36 PM -0500 "Witmer, Robert" <r.witmer () SNHU EDU> wrote:
Thanks to all for the responses. Like most (if not all) of you, we have a policy in place regarding the use of email for sensitive data. This includes the solicitation of credit card information via email. The ASV was specific in asking for a written policy with regards to INBOUND email containing credit card information (stating the basis of the concern is that if we receive a single email containing a credit card number, our email server is considered electronic storage of credit card information... whether we requested it or not). I am not debating the premise of electronic storage in his example... I was just wondering if others had to write a policy specifically addressing INBOUND email containing credit card info. The ASV was not condoning or suggesting we use email to send or receive credit card info. But by asking for a written policy, was he implying we should scan and filter INBOUND email that might contain a credit card number? This might not be a bad idea, but how many edu's can/will do this? And if we don't scan/filter, I'm not sure how a written policy on INBOUND email containing credit cards changes the fact that our email system may be storing a credit card number that someone sent to us. So if anyone has a written policy on INBOUND email containing credit card info, I'd be grateful to see it. Regards, Bob ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Witmer, Robert [r.witmer () SNHU EDU] Sent: Wednesday, November 18, 2009 3:35 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Inbound Email Policy & PCIDSS I was having a discussion this morning with my ASV. He stated that if our email system accepted inbound email with credit card information, they considered it electronic storage of credit card info. However, if the university had a written policy on emails containing credit card info, that changed the circumstances as far as the level of SAQ we are required to submit for that particular processor. I will concede the premise of electronic storage of credit card info in an email system. My question is "does anyone have a written email policy that specifically addresses inbound emails with credit cards?" And if so, would you care to share it? Regards, Bob Please consider the environment before printing this e-mail.
Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel
Current thread:
- Inbound Email Policy & PCIDSS Witmer, Robert (Nov 18)
- <Possible follow-ups>
- Re: Inbound Email Policy & PCIDSS Brad Judy (Nov 18)
- Re: Inbound Email Policy & PCIDSS Conor McGrath (Nov 18)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 18)
- Re: Inbound Email Policy & PCIDSS Witmer, Robert (Nov 18)
- Re: Inbound Email Policy & PCIDSS Zach Jansen (Nov 19)
- Re: Inbound Email Policy & PCIDSS Daniel Adinolfi (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS Basgen, Brian (Nov 19)
- Re: Inbound Email Policy & PCIDSS Bob Bayn (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS John Ladwig (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)