PCI Compliance and SSL protected emails

Given that SSL is no longer considered safe due to the POODLE vulnerability, what email options exist?

https://www.pcicomplianceguide.org/pci-dss-v3-1-and-ssl-what-you-should-do-now/

And does this POODLE vulnerability actually expose someone who sends an email with a secure PDF as an attachment?

Is there a way to securely send an email with a merchant's credit card monthly statement as an attachment? If so, what types of email are considered PCI compliant?

If not, other options are there for sending a PDF? DropBox?

What are the alternatives?

Thanks.
newbiewebSr. Software EngineerAsked:
Who is Participating?
 
Jason CrawfordTransport NinjaCommented:
It sounds like you're referring to an encryption and Data Loss Prevention.  Basically a rule is created to redirect any email containing sensitive data to an encryption gateway the recipient has to login to to retrieve the message.  Here is Microsoft's version for Exchange and Exchange Online

https://technet.microsoft.com/en-us/library/jj150527(v=exchg.160).aspx
0
 
newbiewebSr. Software EngineerAuthor Commented:
So, if I have an email address registered with Exchange Online, am I at least protecting my end of the communications from exposing the attachment that is being emailed to me?
0
 
Jason CrawfordTransport NinjaCommented:
There are many 3rd party providers, I just gave Microsoft's version as an example of outbound protection.  Inbound is different and really your best option for the data you receive (at rest) is disk encryption.
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
newbiewebSr. Software EngineerAuthor Commented:
Yes,I encrypt my disk. What kinds of email services are acceptable? What is it that differentiates the good from the bad?

https on the domain, such as on gmail

https://www.google.com/gmail

means it's protected with SSL. But how does one know the email account is protected with TLS?
0
 
Jason CrawfordTransport NinjaCommented:
You have to think of it terms of data at rest and data in motion.  Your connection to Gmail is data in motion; however, if you open your Gmail mailbox using Outlook you are working with data at rest.  Your compliance obligations generally don't include data at rest for recipients outside your organization.  As long as connections to your email server are secured via SSL and you encrypt outbound email with DLP or similar you *should* be ok, but if you're unsure you may want to work with an auditor or consultant since I've found of all compliance regulations PCI is the most nit picky.
0
 
newbiewebSr. Software EngineerAuthor Commented:
> you encrypt outbound email with DLP or similar

please expound on that.
0
 
Jason CrawfordTransport NinjaCommented:
Let's say one of your end-users sends an email to a vendor containing ePHI in the body of the email.  Transport rules would flag that email and redirect it to an encryption gateway and a notification email would be sent to the original recipient containing instructions on how to login to the gateway and read the email.  In this scenario the email is sent over secure channels between hops and retrieved through a secure portal so you're covered.
0
 
newbiewebSr. Software EngineerAuthor Commented:
>Transport rules would flag that email

That's interesting. Does it look for numbers in a certain pattern? Like 1234-1234-1234-1234?

In my case, a merchant wold be sending their monthly statement to me, at my email account. I am trying to understand what I must do to be PCI compliant.

The hope is they would send me a scanned copy where they scrubbed out any identifying information, and attached a scanned copy to the email. My worry is they will send a PDF, which is hard to scrub unless you have a copy of Adobe Acrobat Pro.

In either case, there is a chance I'd end up with their merchant credit card number on my system. So I want to understand the steps I need to take in order to be compliant, in those cases.
0
 
Jason CrawfordTransport NinjaCommented:
Yes DLP uses pattern recognition for things like credit cards, social security numbers, etc.  I can't say for sure with PCI, but with HIPAA as long as your disk is encrypted you're covered for email sent to you.
0
 
newbiewebSr. Software EngineerAuthor Commented:
thanks
0
 
Jason CrawfordTransport NinjaCommented:
Glad I could help.  Take care :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.