Sending or receiving credit card data via email while staying PCI compliant

To prevent cardholders’ information from falling into the wrong hands, the Payment Card Industry Data Security Standard (PCI DSS) was established to hold organizations to a common standard for securing cardholder information against unauthorized exposure and exploitation.

With the rise of e-commerce, the most prominent names of the credit card industry joined forces to improve the safety of consumer data and trust in the payment ecosystem, a minimum standard for data security was created. Visa, Mastercard, American Express, Discover, and JCB formed the Payment Card Industry Security Standards Council (PCI SSC) in 2006 to administer and manage security standards for companies that handle credit card data. Before the PCI SSC was established, these five credit card companies had their own security standards programs—each with roughly similar requirements and goals. They banded together through the PCI SSC to align on one standard policy to ensure a baseline level of protection for consumers and banks in the internet era.

Validation of compliance is performed annually or quarterly, either by an external Qualified Security Assessor (QSA) or by a firm-specific Internal Security Assessor (ISA) that creates a report on compliance for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.

How to become PCI compliant?

PCI compliance should be one of the most important ongoing projects in any business that stores customer’s private credit card data. There are 12 steps that need to be addressed in order to achieve compliance. These steps are based on the following security requirements:

  • Build and Maintain a Secure Network and Systems
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy

PCI compliance addresses not only the credit card industry concerns. It also helps to fulfil several requirements of data security and privacy laws, such as the General Data Protection Regulation (GDPR).

Consequences of PCI violations

Based on the leading PCI Compliance Blog, fines are rarely reported and generally are given to the merchants directly. Banks pass the penalties along as increased transaction costs or maybe the termination of business relationships.

Fines can vary from $5.000 to $100.000 monthly until the merchants become compliant. This type of penalty is only suitable for large financial institutions. It can very quickly lead small businesses into bankruptcy.

Nevertheless, fines that are issued by the PCI are negligible in comparison to lawsuits, credit monitoring fees, and actions by governments. For instance, the American retail giant Target reported that the total cost of a massive credit card data breach was more than $200 million.

Is emailed credit card information in scope for PCI compliance?

PCI DSS Requirement 4.2 states that credit card information must not be captured, transmitted, or stored via end-user messaging technologies, such as regular email. Here’s why: unsecured email leaves trails of unencrypted credit card numbers in inboxes, trashes, web browser caches, etc. As with any conventional end-user technology, it’s extremely difficult to secure.

It is natural to assume that encryption would solve the problem. However, even if your email server is configured to provide strong encryption when you connect to read your email, you have no guarantee that the receiving end has the same level of encryption, neither are your sure that only the intended recipient can read the information once delivered.

It's important to highlight that violating the Payment Card Industry Data Security Standard is not a violation of the law. The PCI DSS is an agreement between the payment card companies and the processors about how data will be secured. Nevertheless, PCI noncompliance can be disastrous for the reputation of a business in case something goes wrong while handling credit card information.

What are the solutions to sharing Credit Card information digitally while staying PCI compliant?

Considering that email is the preferred method of communication for most businesses; the implementation of a secured email and digital communication platform is essential for PCI, as well as GDPR compliance. It is designed to address “risky behaviour” in digital communication. For example, a warning would be given when sensitive private information is added to an email; such as an attachment containing multiple credit card numbers, and/or if the message is addressed to a new contact or multiple recipients. In addition, strict security measures would be put in place (e.g., encryption of personal data and 2-factor authentication protection).

PCI compliance is complicated. However, using email to send or receive credit card information doesn’t have to be. ZIVVER is a unique platform that provides effortless, real-time human error surveillance. It also lets you control access to sensitive data by setting time limits on emails, adding additional layers of security by requiring 2FA identifiers to view emails. In addition to preventing messages from being forwarded, and giving you the power to revoke messages, should you accidentally send restricted information.


Although the procedure for becoming PCI compliant is reasonably straightforward, you will find substantial amounts of technical standards which could be overwhelming when you are not an authority in payment processing. Assuming that you are unsure regarding your ability to become PCI compliant on your own, it is advisable to seek assistance from an outside expert in PCI compliance. In fact, the PCI provides a summary of qualified security assessors that you can select from. Is important to keep in mind that the costs of such service are far less than the penalties of noncompliance. The old saying "better safe than sorry" could not be better applied in these circumstances.

Secure your organization's emails with ZIVVER, you can find out how by clicking on the link below. 

Go to our secure email page


Work from home securely by following these simple tips

The battle against the Coronavirus has entered a new phase. Many governments have asked employees - if at all possible - to work from home to prevent further spreading of the virus. Working from home sounds appealing to most people: no rush getting to the office, working in your pajama pants, always your favorite coffee at hand. It is fortunate that many organizations […]

Read more

Improve your Office 365 security with ZIVVER

Prevent data leaks, improve compliance and save on costs when you combine the flexibility of Office 365 with the enhanced security of ZIVVER!  Did you know that Office 365 is the most popular cloud-based office solution used by enterprises across the globe today? There are currently over 180 million subscribers worldwide and growing. Office 365 has achieved this market […]

Read more

The secret to thwarting data leaks? Securing your outbound email.

Did you know that over 160,000 data breaches have been reported across the EU since the General Data Protection Regulation (GDPR) came into force in May 2018? That amounts to hundreds of incidents every single day. While some of these data breaches generate headlines, such as the massive Marriott International or British Airways incidents (currently under appeal), the […]

Read more
Data_Breach_vs. Data_leak_explained_zivve_blog_en

Data breach vs. Data leak explained

You probably remember when Facebook's founder Mark Zuckerberg testified before the American Congress and UK lawmakers regarding the Cambridge Analytica data leak scandal. The political consulting firm harvested raw data from 87 million Facebook profiles while working for Donald Trump's presidential campaign in 2016. You might also recall the massive data breach […]

Read more
Encryption for Beginners_locks_ZIVVER_email

Encryption for Beginners 1: (A)symmetric encryption

Most people don't realize how easily an email can be sent to the wrong recipient. A typo in the address, a mistake in the configuration of a server, the wrong name selected from the automatic address book: they are all simple and common mistakes. In addition to the human error element, there is always a risk that hackers could compromise the mail server of a provider […]

Read more

Cybersecurity Awareness Month: Email and File Transfer Security

When people think about email security, they typically associate it with widely reported hacking incidents, often nefarious in nature. These breaches tend to be higher in profile for a multitude of reasons, but actually account for a lower percentage of data breaches overall. For many organizations, the biggest threat to protecting privacy-sensitive data simply comes […]

Read more