PCI DSS Requirement 4.2 states that credit card information must not be captured, transmitted, or stored via end-user messaging technologies (like email). Here’s why: email leaves trails of unencrypted credit card numbers in inboxes, trashes, web browser caches, etc. As with any end-user technology, it’s extremely difficult to secure.
According to the PCI DSS, e-mail, instant messaging, SMS, and chat can be easily intercepted by “packet-sniffing” software or hardware during delivery across internal and public networks. Packet sniffing is a tactic similar to wiretapping a phone network and can be used by hackers to capture your Internet traffic.
Even if your email server is configured to provide strong encryption when you connect to read your email, you have no guarantee that the receiving end has the same level of encryption. Do not utilize these messaging tools to send PAN unless they are configured to provide strong entire message encryption (PGP, GPG, etc.). Even then, it’s probably just easier to find another way to transfer sensitive credit card data.
If emailing credit card info is a normal business process:
- Understand your process must be changed. There is no way for you to be compliant if your normal process requires sending clear text credit cards via unencrypted email.
- Either decide to encrypt your email or initiate training for employees to forbid the sending or receiving of customer card data.
- Ensure your written policies state unencrypted PAN are never to be sent via email or other end-user technologies.
Hackers want your cardholder data. By obtaining the Primary Account Number (PAN) and sensitive authentication data, a thief can impersonate the cardholder, use the card, and steal the cardholder’s identity.
Take a look at the payment card diagram. Everything at the end of a red arrow is sensitive cardholder data. Anything on the backside and CID must never be stored. You must have a good business reason for storing anything else, and that data must be protected.