Sending or receiving credit card data via email while staying PCI compliant

To prevent cardholders’ information from falling into the wrong hands, the Payment Card Industry Data Security Standard (PCI DSS) was established to hold organizations to a common standard for securing cardholder information against unauthorized exposure and exploitation.

With the rise of e-commerce, the most prominent names of the credit card industry joined forces to improve the safety of consumer data and trust in the payment ecosystem, a minimum standard for data security was created. Visa, Mastercard, American Express, Discover, and JCB formed the Payment Card Industry Security Standards Council (PCI SSC) in 2006 to administer and manage security standards for companies that handle credit card data. Before the PCI SSC was established, these five credit card companies had their own security standards programs—each with roughly similar requirements and goals. They banded together through the PCI SSC to align on one standard policy to ensure a baseline level of protection for consumers and banks in the internet era.

Validation of compliance is performed annually or quarterly, either by an external Qualified Security Assessor (QSA) or by a firm-specific Internal Security Assessor (ISA) that creates a report on compliance for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.

How to become PCI compliant?

PCI compliance should be one of the most important ongoing projects in any business that stores customer’s private credit card data. There are 12 steps that need to be addressed in order to achieve compliance. These steps are based on the following security requirements:

  • Build and Maintain a Secure Network and Systems
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy

PCI compliance addresses not only the credit card industry concerns. It also helps to fulfil several requirements of data security and privacy laws, such as the General Data Protection Regulation (GDPR).

Consequences of PCI violations

Based on the leading PCI Compliance Blog, fines are rarely reported and generally are given to the merchants directly. Banks pass the penalties along as increased transaction costs or maybe the termination of business relationships.

Fines can vary from $5.000 to $100.000 monthly until the merchants become compliant. This type of penalty is only suitable for large financial institutions. It can very quickly lead small businesses into bankruptcy.

Nevertheless, fines that are issued by the PCI are negligible in comparison to lawsuits, credit monitoring fees, and actions by governments. For instance, the American retail giant Target reported that the total cost of a massive credit card data breach was more than $200 million.

Is emailed credit card information in scope for PCI compliance?

PCI DSS Requirement 4.2 states that credit card information must not be captured, transmitted, or stored via end-user messaging technologies, such as regular email. Here’s why: unsecured email leaves trails of unencrypted credit card numbers in inboxes, trashes, web browser caches, etc. As with any conventional end-user technology, it’s extremely difficult to secure.

It is natural to assume that encryption would solve the problem. However, even if your email server is configured to provide strong encryption when you connect to read your email, you have no guarantee that the receiving end has the same level of encryption, neither are your sure that only the intended recipient can read the information once delivered.

It's important to highlight that violating the Payment Card Industry Data Security Standard is not a violation of the law. The PCI DSS is an agreement between the payment card companies and the processors about how data will be secured. Nevertheless, PCI noncompliance can be disastrous for the reputation of a business in case something goes wrong while handling credit card information.

What are the solutions to sharing Credit Card information digitally while staying PCI compliant?

Considering that email is the preferred method of communication for most businesses; the implementation of a secured email and digital communication platform is essential for PCI, as well as GDPR compliance. It is designed to address “risky behaviour” in digital communication. For example, a warning would be given when sensitive private information is added to an email; such as an attachment containing multiple credit card numbers, and/or if the message is addressed to a new contact or multiple recipients. In addition, strict security measures would be put in place (e.g., encryption of personal data and 2-factor authentication protection).

PCI compliance is complicated. However, using email to send or receive credit card information doesn’t have to be. ZIVVER is a unique platform that provides effortless, real-time human error surveillance. It also lets you control access to sensitive data by setting time limits on emails, adding additional layers of security by requiring 2FA identifiers to view emails. In addition to preventing messages from being forwarded, and giving you the power to revoke messages, should you accidentally send restricted information.

Conclusion

Although the procedure for becoming PCI compliant is reasonably straightforward, you will find substantial amounts of technical standards which could be overwhelming when you are not an authority in payment processing. Assuming that you are unsure regarding your ability to become PCI compliant on your own, it is advisable to seek assistance from an outside expert in PCI compliance. In fact, the PCI provides a summary of qualified security assessors that you can select from. Is important to keep in mind that the costs of such service are far less than the penalties of noncompliance. The old saying "better safe than sorry" could not be better applied in these circumstances.

Secure your organization's emails with ZIVVER, you can find out how by clicking on the link below. 

Go to our secure email page

RELATED
man_holding_arms_out

CCPA, NTA, DPA, GDPR, WTF?

While the General Data Protection Regulation (GDPR) in the EU has been in place for a few years now, other countries and regions have adopted their own version of enhanced privacy legislation to keep up with the pace of change.  One such region is California. The California Consumer Protection Act (CCPA), is modeled after the GDPR in many respects, but there are also […]

Read more
man_holding_arms_out

CCPA, NTA, DPA, GDPR, WTF?

While the General Data Protection Regulation (GDPR) in the EU has been in place for a few years now, other countries and regions have adopted their own version of enhanced privacy legislation to keep up with the pace of change.  One such region is California. The California Consumer Protection Act (CCPA), is modeled after the GDPR in many respects, but there are also […]

Read more
Doctor_laptop_telemedicine

8 reasons telemedicine is making headlines now

It should come as no surprise that telemedicine, sometimes referred to as telehealth or eHealth, has been featured prominently in the news lately. That’s because healthcare systems and professionals are seeking safe alternatives to provide patient care in the wake of the COVID-19 pandemic. While only a fraction of people worldwide have used telemedicine for […]

Read more
Doctor_laptop_telemedicine

8 reasons telemedicine is making headlines now

It should come as no surprise that telemedicine, sometimes referred to as telehealth or eHealth, has been featured prominently in the news lately. That’s because healthcare systems and professionals are seeking safe alternatives to provide patient care in the wake of the COVID-19 pandemic. While only a fraction of people worldwide have used telemedicine for […]

Read more
ZIVVER_safety_locks

ZIVVER’s secure communication platform is a market leader

When it comes to safeguarding data, you have to first look at the root cause of most breaches. Around the globe, human error is consistently the top cause of data leaks, so it’s important to have a security platform that can effectively tackle this. Many companies claim to offer solutions, few actually deliver on providing top flight security alongside […]

Read more
Data_Breach_vs. Data_leak_explained_zivve_blog_en

Data breach vs. Data leak explained

You probably remember when Facebook's founder Mark Zuckerberg testified before the American Congress and UK lawmakers regarding the Cambridge Analytica data leak scandal. The political consulting firm harvested raw data from 87 million Facebook profiles while working for Donald Trump's presidential campaign in 2016. You might also recall the massive data breach […]

Read more