Sending or receiving credit card data via email while staying PCI compliant

To prevent cardholders’ information from falling into the wrong hands, the Payment Card Industry Data Security Standard (PCI DSS) was established to hold organizations to a common standard for securing cardholder information against unauthorized exposure and exploitation.

With the rise of e-commerce, the most prominent names of the credit card industry joined forces to improve the safety of consumer data and trust in the payment ecosystem, a minimum standard for data security was created. Visa, Mastercard, American Express, Discover, and JCB formed the Payment Card Industry Security Standards Council (PCI SSC) in 2006 to administer and manage security standards for companies that handle credit card data. Before the PCI SSC was established, these five credit card companies had their own security standards programs—each with roughly similar requirements and goals. They banded together through the PCI SSC to align on one standard policy to ensure a baseline level of protection for consumers and banks in the internet era.

Validation of compliance is performed annually or quarterly, either by an external Qualified Security Assessor (QSA) or by a firm-specific Internal Security Assessor (ISA) that creates a report on compliance for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.

How to become PCI compliant?

PCI compliance should be one of the most important ongoing projects in any business that stores customer’s private credit card data. There are 12 steps that need to be addressed in order to achieve compliance. These steps are based on the following security requirements:

  • Build and Maintain a Secure Network and Systems
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy

PCI compliance addresses not only the credit card industry concerns. It also helps to fulfil several requirements of data security and privacy laws, such as the General Data Protection Regulation (GDPR).

Consequences of PCI violations

Based on the leading PCI Compliance Blog, fines are rarely reported and generally are given to the merchants directly. Banks pass the penalties along as increased transaction costs or maybe the termination of business relationships.

Fines can vary from $5.000 to $100.000 monthly until the merchants become compliant. This type of penalty is only suitable for large financial institutions. It can very quickly lead small businesses into bankruptcy.

Nevertheless, fines that are issued by the PCI are negligible in comparison to lawsuits, credit monitoring fees, and actions by governments. For instance, the American retail giant Target reported that the total cost of a massive credit card data breach was more than $200 million.

Is emailed credit card information in scope for PCI compliance?

PCI DSS Requirement 4.2 states that credit card information must not be captured, transmitted, or stored via end-user messaging technologies, such as regular email. Here’s why: unsecured email leaves trails of unencrypted credit card numbers in inboxes, trashes, web browser caches, etc. As with any conventional end-user technology, it’s extremely difficult to secure.

It is natural to assume that encryption would solve the problem. However, even if your email server is configured to provide strong encryption when you connect to read your email, you have no guarantee that the receiving end has the same level of encryption, neither are your sure that only the intended recipient can read the information once delivered.

It's important to highlight that violating the Payment Card Industry Data Security Standard is not a violation of the law. The PCI DSS is an agreement between the payment card companies and the processors about how data will be secured. Nevertheless, PCI noncompliance can be disastrous for the reputation of a business in case something goes wrong while handling credit card information.

What are the solutions to sharing Credit Card information digitally while staying PCI compliant?

Considering that email is the preferred method of communication for most businesses; the implementation of a secured email and digital communication platform is essential for PCI, as well as GDPR compliance. It is designed to address “risky behaviour” in digital communication. For example, a warning would be given when sensitive private information is added to an email; such as an attachment containing multiple credit card numbers, and/or if the message is addressed to a new contact or multiple recipients. In addition, strict security measures would be put in place (e.g., encryption of personal data and 2-factor authentication protection).

PCI compliance is complicated. However, using email to send or receive credit card information doesn’t have to be. Zivver is a unique platform that provides effortless, real-time human error surveillance. It also lets you control access to sensitive data by setting time limits on emails, adding additional layers of security by requiring 2FA identifiers to view emails. In addition to preventing messages from being forwarded, and giving you the power to revoke messages, should you accidentally send restricted information.

Conclusion

Although the procedure for becoming PCI compliant is reasonably straightforward, you will find substantial amounts of technical standards which could be overwhelming when you are not an authority in payment processing. Assuming that you are unsure regarding your ability to become PCI compliant on your own, it is advisable to seek assistance from an outside expert in PCI compliance. In fact, the PCI provides a summary of qualified security assessors that you can select from. Is important to keep in mind that the costs of such service are far less than the penalties of noncompliance. The old saying "better safe than sorry" could not be better applied in these circumstances.

Secure your organization's emails with Zivver, you can find out how by clicking on the link below. 

Go to our secure email page

Written by

Renato Zamagna

Originally published on May 17, 2019

Last update on July 16, 2021