Sending or receiving credit card data via email while staying PCI compliant

To prevent cardholders’ information from falling into the wrong hands, the Payment Card Industry Data Security Standard (PCI DSS) was established to hold organizations to a common standard for securing cardholder information against unauthorized exposure and exploitation.

With the rise of e-commerce, the most prominent names of the credit card industry joined forces to improve the safety of consumer data and trust in the payment ecosystem, a minimum standard for data security was created. Visa, Mastercard, American Express, Discover, and JCB formed the Payment Card Industry Security Standards Council (PCI SSC) in 2006 to administer and manage security standards for companies that handle credit card data. Before the PCI SSC was established, these five credit card companies had their own security standards programs—each with roughly similar requirements and goals. They banded together through the PCI SSC to align on one standard policy to ensure a baseline level of protection for consumers and banks in the internet era.

Validation of compliance is performed annually or quarterly, either by an external Qualified Security Assessor (QSA) or by a firm-specific Internal Security Assessor (ISA) that creates a report on compliance for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.

How to become PCI compliant?

PCI compliance should be one of the most important ongoing projects in any business that stores customer’s private credit card data. There are 12 steps that need to be addressed in order to achieve compliance. These steps are based on the following security requirements:

  • Build and Maintain a Secure Network and Systems
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy

PCI compliance addresses not only the credit card industry concerns. It also helps to fulfil several requirements of data security and privacy laws, such as the General Data Protection Regulation (GDPR).

Consequences of PCI violations

Based on the leading PCI Compliance Blog, fines are rarely reported and generally are given to the merchants directly. Banks pass the penalties along as increased transaction costs or maybe the termination of business relationships.

Fines can vary from $5.000 to $100.000 monthly until the merchants become compliant. This type of penalty is only suitable for large financial institutions. It can very quickly lead small businesses into bankruptcy.

Nevertheless, fines that are issued by the PCI are negligible in comparison to lawsuits, credit monitoring fees, and actions by governments. For instance, the American retail giant Target reported that the total cost of a massive credit card data breach was more than $200 million.

Is emailed credit card information in scope for PCI compliance?

PCI DSS Requirement 4.2 states that credit card information must not be captured, transmitted, or stored via end-user messaging technologies, such as regular email. Here’s why: unsecured email leaves trails of unencrypted credit card numbers in inboxes, trashes, web browser caches, etc. As with any conventional end-user technology, it’s extremely difficult to secure.

It is natural to assume that encryption would solve the problem. However, even if your email server is configured to provide strong encryption when you connect to read your email, you have no guarantee that the receiving end has the same level of encryption, neither are your sure that only the intended recipient can read the information once delivered.

It's important to highlight that violating the Payment Card Industry Data Security Standard is not a violation of the law. The PCI DSS is an agreement between the payment card companies and the processors about how data will be secured. Nevertheless, PCI noncompliance can be disastrous for the reputation of a business in case something goes wrong while handling credit card information.

What are the solutions to sharing Credit Card information digitally while staying PCI compliant?

Considering that email is the preferred method of communication for most businesses; the implementation of a secured email and digital communication platform is essential for PCI, as well as GDPR compliance. It is designed to address “risky behaviour” in digital communication. For example, a warning would be given when sensitive private information is added to an email; such as an attachment containing multiple credit card numbers, and/or if the message is addressed to a new contact or multiple recipients. In addition, strict security measures would be put in place (e.g., encryption of personal data and 2-factor authentication protection).

PCI compliance is complicated. However, using email to send or receive credit card information doesn’t have to be. ZIVVER is a unique platform that provides effortless, real-time human error surveillance. It also lets you control access to sensitive data by setting time limits on emails, adding additional layers of security by requiring 2FA identifiers to view emails. In addition to preventing messages from being forwarded, and giving you the power to revoke messages, should you accidentally send restricted information.


Although the procedure for becoming PCI compliant is reasonably straightforward, you will find substantial amounts of technical standards which could be overwhelming when you are not an authority in payment processing. Assuming that you are unsure regarding your ability to become PCI compliant on your own, it is advisable to seek assistance from an outside expert in PCI compliance. In fact, the PCI provides a summary of qualified security assessors that you can select from. Is important to keep in mind that the costs of such service are far less than the penalties of noncompliance. The old saying "better safe than sorry" could not be better applied in these circumstances.

Download our productsheet

The_advantages_of_Email_vs_Fax and_Snail_Mail_zivver_blog_en

The Advantages of Email vs. Fax and Snail Mail

Before email came into popularity, fax transmissions presented the only way to send written communication quickly. They could provide paper printouts in a few short minutes over hundreds of thousands of kilometers. Nowadays, email has become the preferred method of communication. Consequently, most companies have entirely abandoned fax machines. […]

Read more
Data_Breach_vs. Data_leak_explained_zivve_blog_en

Data breach vs. Data leak explained

You probably remember when Facebook's founder Mark Zuckerberg testified before the American Congress and UK lawmakers regarding the Cambridge Analytica data leak scandal. The political consulting firm harvested raw data from 87 million Facebook profiles while working for Donald Trump's presidential campaign in 2016. You might also recall the massive data breach […]

Read more
Untitled design (2)

Encryption for beginners 2: PGP and Hashing

If you want to prevent unintended recipients from gaining access to emails containing sensitive personal data, it is imperative to use encryption. Encryption is an interesting and yet complex subject, not widely understood by the general public. We started covering the topic with the encryption for beginners 1 blog post, in which we highlighted the differences between […]

Read more
Cloud_based_office_support tools_that_are_U.S._rooted_fail GDPR_complianc_ZIVVER_Eng_blog

Cloud-based office support tools that are U.S. rooted, fail GDPR compliance

It is estimated that the U.S.A. supplies 80% of the global cloud computing services. And nearly all most-used cloud-based solutions for email and word processing are from the US. This causes a big issue for European companies using these vendors since they are not GDPR compliant. This is the conclusion of a research performed by the Swedish National Public Procurement […]

Read more
Human_error_is_the_primary_cause_of_most_data_leaks_The_Dutch_lend_a_helping_hand_pointing_ out_the_cause_ZIVVER_EN_blog-1

Human error is the primary cause of most data leaks. The Dutch lend a helping hand pointing out the causes


Read more