On 17/03/2017 14:18, Eric Henson wrote:
As a PCI compliant company, we have to go to great lengths to secure any system
that stores, processes, or transacts credit card data. If that included our
email servers, that would put every single mail server, every single mail
client, including smart phones, in scope for our PCI audit. That would be a
complete nightmare. So we have rules to prevent credit card numbers from
entering our environment.
The problem is that that doesn't work.
PCI is broken this way - you can't control someone you have no control
over.
I bet you anyone can send you an obfuscated credit card number, and
it'll enter your mail server, and you won't know about it until/unless
someone reads it. Then what do you do? I bet you'd just delete it, keep
it quiet and hope for the best, or do you shred the mail server's hard
disks, those of any users who may have had access to the message (and
any message archives) and rebuild everything.
For instance, if I sent you a message saying four hundred and
fifty-seven, 345 double eight, a dozen, 55 seventeen, Clickety-click,
would your scanner prevent that message coming in? ;-)
Also, do you do OCR on any image attachments or Word documents/PDFs/etc
you receive, to make sure the don't contain a scan of a credit card or
similar? If not, then you're not 'preventing' anything. Or, do you just
refuse any type of attachments at all, and any email containing any
digits or number words (in various languages).
If PCI was adhered to as strictly as they'd want you to, it'd be a great
DoS mechanism...
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
