PCI Compliance and SSL protected emails

Given that SSL is no longer considered safe due to the POODLE vulnerability, what email options exist?

https://www.pcicomplianceguide.org/pci-dss-v3-1-and-ssl-what-you-should-do-now/

And does this POODLE vulnerability actually expose someone who sends an email with a secure PDF as an attachment?

Is there a way to securely send an email with a merchant's credit card monthly statement as an attachment? If so, what types of email are considered PCI compliant?

If not, other options are there for sending a PDF? DropBox?

What are the alternatives?

Thanks.
newbiewebSr. Software EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jason CrawfordTransport NinjaCommented:
It sounds like you're referring to an encryption and Data Loss Prevention.  Basically a rule is created to redirect any email containing sensitive data to an encryption gateway the recipient has to login to to retrieve the message.  Here is Microsoft's version for Exchange and Exchange Online

https://technet.microsoft.com/en-us/library/jj150527(v=exchg.160).aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
newbiewebSr. Software EngineerAuthor Commented:
So, if I have an email address registered with Exchange Online, am I at least protecting my end of the communications from exposing the attachment that is being emailed to me?
0
Jason CrawfordTransport NinjaCommented:
There are many 3rd party providers, I just gave Microsoft's version as an example of outbound protection.  Inbound is different and really your best option for the data you receive (at rest) is disk encryption.
0
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

newbiewebSr. Software EngineerAuthor Commented:
Yes,I encrypt my disk. What kinds of email services are acceptable? What is it that differentiates the good from the bad?

https on the domain, such as on gmail

https://www.google.com/gmail

means it's protected with SSL. But how does one know the email account is protected with TLS?
0
Jason CrawfordTransport NinjaCommented:
You have to think of it terms of data at rest and data in motion.  Your connection to Gmail is data in motion; however, if you open your Gmail mailbox using Outlook you are working with data at rest.  Your compliance obligations generally don't include data at rest for recipients outside your organization.  As long as connections to your email server are secured via SSL and you encrypt outbound email with DLP or similar you *should* be ok, but if you're unsure you may want to work with an auditor or consultant since I've found of all compliance regulations PCI is the most nit picky.
0
newbiewebSr. Software EngineerAuthor Commented:
> you encrypt outbound email with DLP or similar

please expound on that.
0
Jason CrawfordTransport NinjaCommented:
Let's say one of your end-users sends an email to a vendor containing ePHI in the body of the email.  Transport rules would flag that email and redirect it to an encryption gateway and a notification email would be sent to the original recipient containing instructions on how to login to the gateway and read the email.  In this scenario the email is sent over secure channels between hops and retrieved through a secure portal so you're covered.
0
newbiewebSr. Software EngineerAuthor Commented:
>Transport rules would flag that email

That's interesting. Does it look for numbers in a certain pattern? Like 1234-1234-1234-1234?

In my case, a merchant wold be sending their monthly statement to me, at my email account. I am trying to understand what I must do to be PCI compliant.

The hope is they would send me a scanned copy where they scrubbed out any identifying information, and attached a scanned copy to the email. My worry is they will send a PDF, which is hard to scrub unless you have a copy of Adobe Acrobat Pro.

In either case, there is a chance I'd end up with their merchant credit card number on my system. So I want to understand the steps I need to take in order to be compliant, in those cases.
0
Jason CrawfordTransport NinjaCommented:
Yes DLP uses pattern recognition for things like credit cards, social security numbers, etc.  I can't say for sure with PCI, but with HIPAA as long as your disk is encrypted you're covered for email sent to you.
0
newbiewebSr. Software EngineerAuthor Commented:
thanks
0
Jason CrawfordTransport NinjaCommented:
Glad I could help.  Take care :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Clients

From novice to tech pro — start learning today.