Educause Security Discussion mailing list archives
Re: Inbound Email Policy & PCIDSS
From: Brad Judy <win-hied () BRADJUDY COM>
Date: Wed, 18 Nov 2009 16:10:54 -0500
Are you talking about an encrypted email system? Unencrypted email is not an acceptable form of transmission of credit card information under PCI-DSS (as per 4.1 - use of encryption in transit), and an ASV should never be giving advice that suggests it is appropriate. The scenarios that decide which SAQ you use are pretty well prescribed in the PCI documentation. Perhaps if you were a swipe-and-dial environment, but happened to receive some card numbers via email and were filling out the full form for that reason (completing this form in this environment would note a lack of compliance to 4.1). Then, if you banned the process of using email for card numbers (to become compliant) and ran a non-networked swipe-and-dial payment system, you would be able to use the "short form" for the SAQ. Brad Judy From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Witmer, Robert Sent: Wednesday, November 18, 2009 3:35 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Inbound Email Policy & PCIDSS I was having a discussion this morning with my ASV. He stated that if our email system accepted inbound email with credit card information, they considered it electronic storage of credit card info. However, if the university had a written policy on emails containing credit card info, that changed the circumstances as far as the level of SAQ we are required to submit for that particular processor. I will concede the premise of electronic storage of credit card info in an email system. My question is "does anyone have a written email policy that specifically addresses inbound emails with credit cards?" And if so, would you care to share it? Regards, Bob Please consider the environment before printing this e-mail.
Current thread:
- Inbound Email Policy & PCIDSS Witmer, Robert (Nov 18)
- <Possible follow-ups>
- Re: Inbound Email Policy & PCIDSS Brad Judy (Nov 18)
- Re: Inbound Email Policy & PCIDSS Conor McGrath (Nov 18)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 18)
- Re: Inbound Email Policy & PCIDSS Witmer, Robert (Nov 18)
- Re: Inbound Email Policy & PCIDSS Zach Jansen (Nov 19)
- Re: Inbound Email Policy & PCIDSS Daniel Adinolfi (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS Basgen, Brian (Nov 19)
- Re: Inbound Email Policy & PCIDSS Bob Bayn (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS John Ladwig (Nov 19)
(Thread continues...)