Sending Credit Card Info Over Email

Are emailed credit card numbers in scope for PCI compliance?

The way you handle sending credit card info might just change your scope for PCI DSS compliance. We often get the question: if you receive primary account numbers (PAN) via email, is your email server in scope of PCI?

If so, then yes, your email server is in scope for PCI security requirements.

See also: The 12 Requirements of PCI Compliance

PCI DSS Requirement 4.2 states that credit card information must not be captured, transmitted, or stored via end-user messaging technologies (like email). Here’s why: email leaves trails of unencrypted credit card numbers in inboxes, trashes, web browser caches, etc. As with any end-user technology, it’s extremely difficult to secure.

See also: SecurityMetrics PCI Guide

According to the PCI DSS, e-mail, instant messaging, SMS, and chat can be easily intercepted by “packet-sniffing” software or hardware during delivery across internal and public networks. Packet sniffing is a tactic similar to wiretapping a phone network and can be used by hackers to capture your Internet traffic.

Even if your email server is configured to provide strong encryption when you connect to read your email, you have no guarantee that the receiving end has the same level of encryption. Do not utilize these messaging tools to send PAN unless they are configured to provide strong entire message encryption (PGP, GPG, etc.). Even then, it’s probably just easier to find another way to transfer sensitive credit card data.

See also: PCI DSS Compliance FAQs

If you don’t want your email server to be in scope of your PCI compliance, there are a few things you can do.

If emailing credit card info is a normal business process:

1. Understand your process must be changed. There is no way for you to be compliant if your normal process requires sending clear text credit cards via unencrypted email.

2. Either decide to encrypt your email or initiate training for employees to forbid the sending or receiving of customer card data.

3. Ensure your written policies state unencrypted PAN are never to be sent via email or other end-user technologies.

If one or two credit cards come through email by accident:

1. Inform the customer (or sales person, etc.) to stop. Educate them about the dangers of using email to send credit card information. Make sure you don’t respond by including the original email.

2. Talk to your IT department about the best way to delete this message securely. (It’s difficult to get rid of emails on many servers because they journal messages in case they need to be restored someday.)

3. Be sure there is training for employees to know how to handle this situation.

If you have questions about PCI compliance and emailing credit card info, Data Security, or PCI Audits, contact us here.