Sending or receiving credit card data via email while staying PCI compliant

To prevent cardholders’ information from falling into the wrong hands, the Payment Card Industry Data Security Standard (PCI DSS) was established to hold organizations to a common standard for securing cardholder information against unauthorized exposure and exploitation.

With the rise of e-commerce, the most prominent names of the credit card industry joined forces to improve the safety of consumer data and trust in the payment ecosystem, a minimum standard for data security was created. Visa, Mastercard, American Express, Discover, and JCB formed the Payment Card Industry Security Standards Council (PCI SSC) in 2006 to administer and manage security standards for companies that handle credit card data. Before the PCI SSC was established, these five credit card companies had their own security standards programs—each with roughly similar requirements and goals. They banded together through the PCI SSC to align on one standard policy to ensure a baseline level of protection for consumers and banks in the internet era.

Validation of compliance is performed annually or quarterly, either by an external Qualified Security Assessor (QSA) or by a firm-specific Internal Security Assessor (ISA) that creates a report on compliance for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.

How to become PCI compliant?

PCI compliance should be one of the most important ongoing projects in any business that stores customer’s private credit card data. There are 12 steps that need to be addressed in order to achieve compliance. These steps are based on the following security requirements:

  • Build and Maintain a Secure Network and Systems
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy

PCI compliance addresses not only the credit card industry concerns. It also helps to fulfil several requirements of data security and privacy laws, such as the General Data Protection Regulation (GDPR).

Consequences of PCI violations

Based on the leading PCI Compliance Blog, fines are rarely reported and generally are given to the merchants directly. Banks pass the penalties along as increased transaction costs or maybe the termination of business relationships.

Fines can vary from $5.000 to $100.000 monthly until the merchants become compliant. This type of penalty is only suitable for large financial institutions. It can very quickly lead small businesses into bankruptcy.

Nevertheless, fines that are issued by the PCI are negligible in comparison to lawsuits, credit monitoring fees, and actions by governments. For instance, the American retail giant Target reported that the total cost of a massive credit card data breach was more than $200 million.

Is emailed credit card information in scope for PCI compliance?

PCI DSS Requirement 4.2 states that credit card information must not be captured, transmitted, or stored via end-user messaging technologies, such as regular email. Here’s why: unsecured email leaves trails of unencrypted credit card numbers in inboxes, trashes, web browser caches, etc. As with any conventional end-user technology, it’s extremely difficult to secure.

It is natural to assume that encryption would solve the problem. However, even if your email server is configured to provide strong encryption when you connect to read your email, you have no guarantee that the receiving end has the same level of encryption, neither are your sure that only the intended recipient can read the information once delivered.

It's important to highlight that violating the Payment Card Industry Data Security Standard is not a violation of the law. The PCI DSS is an agreement between the payment card companies and the processors about how data will be secured. Nevertheless, PCI noncompliance can be disastrous for the reputation of a business in case something goes wrong while handling credit card information.

What are the solutions to sharing Credit Card information digitally while staying PCI compliant?

Considering that email is the preferred method of communication for most businesses; the implementation of a secured email and digital communication platform is essential for PCI, as well as GDPR compliance. It is designed to address “risky behaviour” in digital communication. For example, a warning would be given when sensitive private information is added to an email; such as an attachment containing multiple credit card numbers, and/or if the message is addressed to a new contact or multiple recipients. In addition, strict security measures would be put in place (e.g., encryption of personal data and 2-factor authentication protection).

PCI compliance is complicated. However, using email to send or receive credit card information doesn’t have to be. ZIVVER is a unique platform that provides effortless, real-time human error surveillance. It also lets you control access to sensitive data by setting time limits on emails, adding additional layers of security by requiring 2FA identifiers to view emails. In addition to preventing messages from being forwarded, and giving you the power to revoke messages, should you accidentally send restricted information.

Conclusion

Although the procedure for becoming PCI compliant is reasonably straightforward, you will find substantial amounts of technical standards which could be overwhelming when you are not an authority in payment processing. Assuming that you are unsure regarding your ability to become PCI compliant on your own, it is advisable to seek assistance from an outside expert in PCI compliance. In fact, the PCI provides a summary of qualified security assessors that you can select from. Is important to keep in mind that the costs of such service are far less than the penalties of noncompliance. The old saying "better safe than sorry" could not be better applied in these circumstances.

Download our productsheet

RELATED
Corporate_guest_branding_secure_email_powered_by_ZIVVER_but with_your_organizations_visual_identity_blog_eng-1

Corporate guest branding: Secure email powered by ZIVVER but with your organization's visual identity

Your organization has its own visual identity and naturally wishes to have it reflected in all its products and services. That includes the secure email environment provided by ZIVVER. Therefore, organizations can personalize ZIVVER's guest experience in several ways.  […]

Read more
gdpr_it’s_gonna_be_fines_zivver_en_blog

GDPR: IT’S GONNA BE FINES!

With the inception of the GDPR in May 2018, several companies and their offices were not, and many are still not ready to be compliant with the enhanced European privacy rules and were scared for the potential high penalty payments. This fear was not without grounds. […]

Read more
Introducing-open-conversation-starters-A powerful-new-feature-live on ZIVVERs-platform-blog-eng

Introducing open conversation starters! A powerful new feature from ZIVVER.

One of ZIVVER's most convenient and unique features is the conversation starter. It allows people who don't have an account (guest users) to take the initiative for a conversation with a ZIVVER user, in the same secure email environment. It protects both senders and recipients from possible data leaks caused by guest users. […]

Read more
Cloud_based_office_support tools_that_are_U.S._rooted_fail GDPR_complianc_ZIVVER_Eng_blog

Cloud-based office support tools that are U.S. rooted, fail GDPR compliance

It is estimated that the U.S.A. supplies 80% of the global cloud computing services. And nearly all most-used cloud-based solutions for email and word processing are from the US. This causes a big issue for European companies using these vendors since they are not GDPR compliant. This is the conclusion of a research performed by the Swedish National Public Procurement […]

Read more
Human_error_is_the_primary_cause_of_most_data_leaks_The_Dutch_lend_a_helping_hand_pointing_ out_the_cause_ZIVVER_EN_blog-1

Human error is the primary cause of most data leaks. The Dutch lend a helping hand pointing out the causes

[…]

Read more