Companies occasionally get sensitive credit card information (all information required to complete a purchase) via email or by telephone. As QSAs, we believe this is a security risk or, at the very least, poor practice and that it should be on top of mind. All cardholder data that is being sent, processed, or stored is in scope for PCI DSS.
To prevent cardholders’ information from falling into the wrong hands, the Payment Card Industry Data Security Standard (PCI DSS) was established. Their role is to hold organizations to a common standard for securing cardholder information against unauthorized exposure and exploitation.
Violation of PCI DSS
Requirement 4.2 of PCI DSS states that credit card information must not be captured, transmitted, or stored via end-user messaging technologies, such as regular email.
This is why: Unsecured email leaves unencrypted credit card numbers in inboxes, trash cans, backups, web browser caches, and so on. It is extremely difficult to secure, just like any other conventional end-user technology.
It is critical to emphasize that failing to comply with the Payment Card Industry Data Security Standard is not a criminal offence. The PCI DSS is a data security agreement between payment card companies and processors. Nonetheless, if something goes wrong while handling credit card information, PCI noncompliance can be disastrous for a company’s reputation.
Is encryption the solution?
It’s easy to think that encrypting the data would solve the problem. However, even if your email server is configured to provide strong encryption when you connect to read your email, there is no guarantee that the receiving end has the same level of encryption, nor can you be certain that only the intended recipient can read the information once it has been delivered.
What are the options to sharing Credit Card information digitally while staying PCI compliant?
Given that email is the preferred method of communication for most businesses, implementing a secure email and digital communication platform is critical for PCI and GDPR compliance. It is intended to combat “risky behaviour” in digital communication. For example, if sensitive private information is added to an email, such as an attachment containing multiple credit card numbers, and/or if the message is addressed to a new contact or multiple recipients, a warning will be issued, and the e-mail will be rejected automatically. Furthermore, strict security measures would be implemented (e.g., encryption of personal data and 2-factor authentication protection).
Have your policies and procedures in place
As a QSA conducting an assessment, we expect to see:
- Policies in place addressing this situation, stating that accepting cards in this manner is against company policy. Also, explain how you will handle the situation if customers do it.
- Procedures in place to ensure policy adherence. Routine scans of the email server or a DLP implementation to ensure data is only where it should be are examples of procedures.
- Raising employee awareness. Employees should inform customers that accepting payment in this manner is not possible and that they must resubmit using the proper channel. The data should then securely be deleted. If you allow your employees to process the cards when it happens then it becomes a part of your Card data flow and when discovered during an assessment you will be non-compliant.
Occasionally receiving credit card data over email can be avoided and prevented and doesn’t have to pose extra risks. If you like to discuss your specific situation with our QSA’s, please contact us at firstname.lastname@example.org