× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



That's good news.

-----Original Message-----
From: PcTech <pctech-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of John Jones
Sent: Thursday, April 18, 2019 2:54 PM
To: PC Technical Discussion for IBM i (AS/400 and iSeries) Users <pctech@xxxxxxxxxxxxxxxxxx>
Subject: Re: [PCTECH] Email blocking inbound credit card numbers

It does count as encryption but just being encrypted doesn't remove something from scope. You have to actually not have card data to be out of scope. Even using tokenized data doesn't remove systems from scope (though compliance is much easier if you do tokenize).

Incidentally, an individual sending their own personal or corporate card data via email or other insecure channels is not a PCI violation. Reason being is that the business entity hosting the mail system is not acting as a processor. Example: You send a Citibank card number to someone selling stuff on Etsy through Dekko's email. In this case Dekko is not a service provider WRT the card transaction. For the transaction they are none of
these: a broker, a merchant, a payment gateway, a clearing house, acting as a 3rd party processor, and aren't the issuing bank.

The PCI standard and supporting docs are all freely available if you want to look at it in more detail.
https://www.pcisecuritystandards.org/document_library


On Thu, Apr 18, 2019 at 10:46 AM Rob Berendt <rob@xxxxxxxxx> wrote:

So an encrypted file does not count as file/folder encryption?

-----Original Message-----
From: PcTech <pctech-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of John
Jones
Sent: Wednesday, April 17, 2019 9:04 PM
To: PC Technical Discussion for IBM i (AS/400 and iSeries) Users <
pctech@xxxxxxxxxxxxxxxxxx>
Subject: Re: [PCTECH] Email blocking inbound credit card numbers

Short answer is no. PCI data stored in production databases needs to
be encrypted at rest. Typically that involves disk encryption,
file/folder encryption, or column encryption within tables
(transparent data encryption or similar).

Also, PCI data in transport needs to be encrypted when sent over
public networks.

PCI also requires encryption key management so sending something
encrypted without a key management process to rotate the keys, have
assigned key custodians, etc. is only a partial pass of the controls.

On Wed, Apr 17, 2019 at 1:33 PM Rob Berendt <rob@xxxxxxxxx> wrote:

Kind of curious. If the sensitive information is in an encrypted
attachment does that exclude tossing in the whole email system for
review?

-----Original Message-----
From: PcTech <pctech-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of John
Jones
Sent: Wednesday, April 17, 2019 2:14 PM
To: PC Technical Discussion for IBM i (AS/400 and iSeries) Users <
pctech@xxxxxxxxxxxxxxxxxx>
Cc: David Gibbs <david@xxxxxxxxxxxx>
Subject: Re: [PCTECH] Email blocking inbound credit card numbers

If you're a merchant, service provider, or other processor in the
PCI chain and you take CCs via email then your entire email system
may be considered in-scope by your PCI assessor and the full DSS applies.
Which means encryption everywhere, physical access reviews, etc.
Generally, even if you use Office365, G Suite, or some other hosted
solution, this is non-trivial and non-cheap.

Also, rejecting CCs sent via email might, just might, slowly train a
few people to think before they send sensitive information via
insecure channels.

Downside is that a lot of numbers can match the Luhn check so false
positive rate can be high unless the logic looks for other things.

(I own the PCI compliance program for a Level 1 service provider)

On Wed, Apr 17, 2019 at 10:41 AM Jim Oberholtzer <
midrangel@xxxxxxxxxxxxxxxxx> wrote:

I would not want the liability of getting onto my system in the
first place....


--
Jim Oberholtzer
Agile Technology Architects

-----Original Message-----
From: PcTech <pctech-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of
David Gibbs via PcTech
Sent: Wednesday, April 17, 2019 10:39 AM
To: pctech@xxxxxxxxxxxxxxxxxx
Cc: David Gibbs <david@xxxxxxxxxxxx>
Subject: [PCTECH] Email blocking inbound credit card numbers

I've noticed something kind of interesting on the mailing lists
recently.

Some mail servers are blocking inbound email that appear to
contain credit card numbers.

I can understand restrictions on filtering outbound mail that
might contain credit card numbers. While it's obviously not a good
idea to send a credit card number in email, why would a company
block mail that
does contain one?

david

--
IBM i on Power Systems: For when you can't afford to be out of
business!

I'm riding 615 miles (Yes, you read that right) in the American
Diabetes Association's Tour de Cure to raise money for diabetes
research, education, advocacy, and awareness. You can make a
tax-deductible donation to my ride by visiting
https://mideml.diabetessucks.net.

You can see where my donations come from by visiting my
interactive donation map ... https://mideml.diabetessucks.net/map
(it's a geeky thing).

I may have diabetes, but diabetes doesn't have me!
--
This is the PC Technical Discussion for IBM i (AS/400 and iSeries)
Users
(PcTech) mailing list To post a message email:
PcTech@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change
list options,
visit: https://lists.midrange.com/mailman/listinfo/pctech
or email: PcTech-request@xxxxxxxxxxxxxxxxxx Before posting, please
take a moment to review the archives at
https://archive.midrange.com/pctech.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: https://amazon.midrange.com

--
This is the PC Technical Discussion for IBM i (AS/400 and iSeries)
Users
(PcTech) mailing list
To post a message email: PcTech@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/pctech
or email: PcTech-request@xxxxxxxxxxxxxxxxxx Before posting, please
take a moment to review the archives at
https://archive.midrange.com/pctech.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: https://amazon.midrange.com



--
John Jones, CISSP
History has taught us that we don't learn from the past.
--
This is the PC Technical Discussion for IBM i (AS/400 and iSeries)
Users
(PcTech) mailing list To post a message email:
PcTech@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list
options,
visit: https://lists.midrange.com/mailman/listinfo/pctech
or email: PcTech-request@xxxxxxxxxxxxxxxxxx Before posting, please
take a moment to review the archives at
https://archive.midrange.com/pctech.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: https://amazon.midrange.com
--
This is the PC Technical Discussion for IBM i (AS/400 and iSeries)
Users
(PcTech) mailing list
To post a message email: PcTech@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/pctech
or email: PcTech-request@xxxxxxxxxxxxxxxxxx Before posting, please
take a moment to review the archives at
https://archive.midrange.com/pctech.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: https://amazon.midrange.com



--
John Jones, CISSP
History has taught us that we don't learn from the past.
--
This is the PC Technical Discussion for IBM i (AS/400 and iSeries)
Users
(PcTech) mailing list To post a message email:
PcTech@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list
options,
visit: https://lists.midrange.com/mailman/listinfo/pctech
or email: PcTech-request@xxxxxxxxxxxxxxxxxx Before posting, please
take a moment to review the archives at https://archive.midrange.com/pctech.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
--
This is the PC Technical Discussion for IBM i (AS/400 and iSeries)
Users
(PcTech) mailing list
To post a message email: PcTech@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/pctech
or email: PcTech-request@xxxxxxxxxxxxxxxxxx Before posting, please
take a moment to review the archives at
https://archive.midrange.com/pctech.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com



--
John Jones, CISSP
History has taught us that we don't learn from the past.
--
This is the PC Technical Discussion for IBM i (AS/400 and iSeries) Users (PcTech) mailing list To post a message email: PcTech@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/pctech
or email: PcTech-request@xxxxxxxxxxxxxxxxxx Before posting, please take a moment to review the archives at https://archive.midrange.com/pctech.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.