× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



It does count as encryption but just being encrypted doesn't remove
something from scope. You have to actually not have card data to be out of
scope. Even using tokenized data doesn't remove systems from scope (though
compliance is much easier if you do tokenize).

Incidentally, an individual sending their own personal or corporate card
data via email or other insecure channels is not a PCI violation. Reason
being is that the business entity hosting the mail system is not acting as
a processor. Example: You send a Citibank card number to someone selling
stuff on Etsy through Dekko's email. In this case Dekko is not a service
provider WRT the card transaction. For the transaction they are none of
these: a broker, a merchant, a payment gateway, a clearing house, acting as
a 3rd party processor, and aren't the issuing bank.

The PCI standard and supporting docs are all freely available if you want
to look at it in more detail.
https://www.pcisecuritystandards.org/document_library


On Thu, Apr 18, 2019 at 10:46 AM Rob Berendt <rob@xxxxxxxxx> wrote:

So an encrypted file does not count as file/folder encryption?

-----Original Message-----
From: PcTech <pctech-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of John Jones
Sent: Wednesday, April 17, 2019 9:04 PM
To: PC Technical Discussion for IBM i (AS/400 and iSeries) Users <
pctech@xxxxxxxxxxxxxxxxxx>
Subject: Re: [PCTECH] Email blocking inbound credit card numbers

Short answer is no. PCI data stored in production databases needs to be
encrypted at rest. Typically that involves disk encryption, file/folder
encryption, or column encryption within tables (transparent data encryption
or similar).

Also, PCI data in transport needs to be encrypted when sent over public
networks.

PCI also requires encryption key management so sending something encrypted
without a key management process to rotate the keys, have assigned key
custodians, etc. is only a partial pass of the controls.

On Wed, Apr 17, 2019 at 1:33 PM Rob Berendt <rob@xxxxxxxxx> wrote:

Kind of curious. If the sensitive information is in an encrypted
attachment does that exclude tossing in the whole email system for
review?

-----Original Message-----
From: PcTech <pctech-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of John
Jones
Sent: Wednesday, April 17, 2019 2:14 PM
To: PC Technical Discussion for IBM i (AS/400 and iSeries) Users <
pctech@xxxxxxxxxxxxxxxxxx>
Cc: David Gibbs <david@xxxxxxxxxxxx>
Subject: Re: [PCTECH] Email blocking inbound credit card numbers

If you're a merchant, service provider, or other processor in the PCI
chain and you take CCs via email then your entire email system may be
considered in-scope by your PCI assessor and the full DSS applies.
Which means encryption everywhere, physical access reviews, etc.
Generally, even if you use Office365, G Suite, or some other hosted
solution, this is non-trivial and non-cheap.

Also, rejecting CCs sent via email might, just might, slowly train a
few people to think before they send sensitive information via
insecure channels.

Downside is that a lot of numbers can match the Luhn check so false
positive rate can be high unless the logic looks for other things.

(I own the PCI compliance program for a Level 1 service provider)

On Wed, Apr 17, 2019 at 10:41 AM Jim Oberholtzer <
midrangel@xxxxxxxxxxxxxxxxx> wrote:

I would not want the liability of getting onto my system in the
first place....


--
Jim Oberholtzer
Agile Technology Architects

-----Original Message-----
From: PcTech <pctech-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of David
Gibbs via PcTech
Sent: Wednesday, April 17, 2019 10:39 AM
To: pctech@xxxxxxxxxxxxxxxxxx
Cc: David Gibbs <david@xxxxxxxxxxxx>
Subject: [PCTECH] Email blocking inbound credit card numbers

I've noticed something kind of interesting on the mailing lists
recently.

Some mail servers are blocking inbound email that appear to contain
credit card numbers.

I can understand restrictions on filtering outbound mail that might
contain credit card numbers. While it's obviously not a good idea to
send a credit card number in email, why would a company block mail
that
does contain one?

david

--
IBM i on Power Systems: For when you can't afford to be out of
business!

I'm riding 615 miles (Yes, you read that right) in the American
Diabetes Association's Tour de Cure to raise money for diabetes
research, education, advocacy, and awareness. You can make a
tax-deductible donation to my ride by visiting
https://mideml.diabetessucks.net.

You can see where my donations come from by visiting my interactive
donation map ... https://mideml.diabetessucks.net/map (it's a geeky
thing).

I may have diabetes, but diabetes doesn't have me!
--
This is the PC Technical Discussion for IBM i (AS/400 and iSeries)
Users
(PcTech) mailing list To post a message email:
PcTech@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list
options,
visit: https://lists.midrange.com/mailman/listinfo/pctech
or email: PcTech-request@xxxxxxxxxxxxxxxxxx Before posting, please
take a moment to review the archives at
https://archive.midrange.com/pctech.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: https://amazon.midrange.com

--
This is the PC Technical Discussion for IBM i (AS/400 and iSeries)
Users
(PcTech) mailing list
To post a message email: PcTech@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/pctech
or email: PcTech-request@xxxxxxxxxxxxxxxxxx Before posting, please
take a moment to review the archives at
https://archive.midrange.com/pctech.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: https://amazon.midrange.com



--
John Jones, CISSP
History has taught us that we don't learn from the past.
--
This is the PC Technical Discussion for IBM i (AS/400 and iSeries)
Users
(PcTech) mailing list To post a message email:
PcTech@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list
options,
visit: https://lists.midrange.com/mailman/listinfo/pctech
or email: PcTech-request@xxxxxxxxxxxxxxxxxx Before posting, please
take a moment to review the archives at
https://archive.midrange.com/pctech.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
--
This is the PC Technical Discussion for IBM i (AS/400 and iSeries)
Users
(PcTech) mailing list
To post a message email: PcTech@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/pctech
or email: PcTech-request@xxxxxxxxxxxxxxxxxx Before posting, please
take a moment to review the archives at
https://archive.midrange.com/pctech.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com



--
John Jones, CISSP
History has taught us that we don't learn from the past.
--
This is the PC Technical Discussion for IBM i (AS/400 and iSeries) Users
(PcTech) mailing list To post a message email: PcTech@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/pctech
or email: PcTech-request@xxxxxxxxxxxxxxxxxx Before posting, please take a
moment to review the archives at https://archive.midrange.com/pctech.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
--
This is the PC Technical Discussion for IBM i (AS/400 and iSeries) Users
(PcTech) mailing list
To post a message email: PcTech@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/pctech
or email: PcTech-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/pctech.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com




As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.