Avatar of jbovalley
jbovalley asked on

Is it safe to download my mail via Pop3 ?

We have recently be contacted to be PCI compliant . In our domain we do not host  our mail or web server,  we have leased the hosting to an outside company.  At present we use Microsoft Outlook and recieve our mail via a pop3 account. I have been reading online about pop3 and it dosen't seem to be the safest way to recieve mail especially since we get credit card information sent through these mails. What can I do on my end to make the trasfer of mail from my hosting company to me a  more secure process. Is there something that I should ask our hosting company to change to make this a more secure connection ?
Anti-Virus AppsEmail ClientsEmail Servers

Avatar of undefined
Last Comment
jbovalley

8/22/2022 - Mon
Dave Howe

No, it isn't, but to be honest, if you are accepting CC details via email, the security of the last hop (pop3 to you) is likely to be the least of your worries.

You can use secure pop3 (pop3s or pop3-tls, pretty much the same thing) but that mail has still gone unsecured from isp to isp all the way to your mailbox, and at any step, someone could have intercepted and read it.

really, CC data should not be sent via email at all unless encrypted; it is easier and more convenient to get it entered on a website (via https) and simply referenced in an email than to supply cc data via an insecure channel every time. Email encryption tends to be prohibitively difficult for the average user, and thus is not a wise business decision (even if it would be a good technical one)
ASKER
jbovalley

Thanks for the reply... but let me explain a little further....The CC is entered in our Web Site, on a secure page https,  that is hosted be the hosting company. Up to the point to where the credit card reaches our web site it is secure but the problem is we dont host the web site and I am looking for a solution to get that informatin to me from the web site. Presently our web host has given us a pop3 account and we download the info via email. I am trying to find out if there is a better way for him to get that info  to me instead of sending it to me via pop 3.
ASKER CERTIFIED SOLUTION
Dave Howe

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Dave Howe

However, note that for most merchant account providers (cc processors), they offer a scriptable component that will allow you to contact the merchant bank directly you receive the CC data, and obtain a "fulfilment code" - this code, when presented back to the merchant, will cause it to process the payment you have "reserved" from the card during the first contact, and transfer the money to your account.  It has no other purpose, and can be used for no other task (so someone obtaining the code couldn't transfer money to their own account or alter the payment amount, but *could* trigger payment to you before you wished this to happen. Not much value to an attacker there, I feel...)
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER
jbovalley

"finally, if you *must* use pop3, you could pull using the secure (encrypted) forms of pop3. encrypted pop3 is, again, supported by most email clients, down to something like outlook express"

assumeing that I have to use pop3....would I have to have my hosting company change anything on there end  so that the mail is encrypted ?    If so , what ?
and how do I configure Microsoft outlook to accept the encrypted pop mail and decrypt it ?
Dave Howe

Setting up the hosting company end would require creating and installing a tls certificate - they will know how to do this.

configuring outlook to use it is simply a case of ticking the box that says "this server requires a secure connection" in the config.
ASKER
jbovalley

would I also have to use  port 995 for a secure connection ?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Dave Howe

its convention that you do so, but you are not required to - using "TLS" would usually allow you to use the usual 110 port, but I don't think outlook supports that (just explicit pop3s on port 995)

the person to ask would be your support provider at the hosting site - ask them to set up secure pop3, and what settings to use on your client to match what they have set up there.
ASKER
jbovalley

ok  cool..thanks for you help....