Are emailed credit card numbers in scope for PCI compliance?

Gary Glover, Director of Security Assessments
By: Gary Glover
The specific way credit card data is transmitted might just change your scope for PCI DSS compliance. (Learn more about reducing PCI scope.) A common and recurring question I get is, if you receive primary account numbers (PAN) via email, is your email server in scope of PCI?

Is it safe to email credit card informationYes, your email server is in scope for PCI security requirements.

PCI DSS Requirement 4.2 states credit card information must not be captured, transmitted, or stored via end-user messaging technologies (like email.) Here’s why: email leaves trails of credit card numbers in inboxes, trashes, web browser caches, etc. As with any end-user technology, it’s extremely difficult to secure.

According to the PCI DSS, e-mail, instant messaging, SMS, and chat can be easily intercepted by packet-sniffing during delivery across internal and public networks. (Learn more about packet-sniffers and other hacking techniques.) Even if your email server is configured to provide strong encryption when you connect to read your mail, you have no guarantee that the receiving end has the same level of encryption. Do not utilize these messaging tools to send PAN unless they are configured to provide strong entire message encryption (PGP, GPG, etc.) Even then, it’s probably just easier to find another way to transfer sensitive credit card data.

Similar requirements for sending and receiving protected health information over email are essential for HIPAA compliance.

If you don’t want your email server to be in scope of your PCI compliance, there are a few actions you must take.

If accepting or sending emailed credit cards is a normal business process:

  1. Understand your process must be changed. There is no way for you to be compliant if your normal process requires sending clear text credit cards via unencrypted email.
  2. Either decide to encrypt your email, or initiate training for employees to forbid the sending or receiving of customer card data.
  3. Ensure your written policies state unprotected PAN is never to be sent via email or other end-user technologies.

PCI compliance email credit card information If one or two credit cards come through email by accident:

  1. Inform the customer (or sales person, etc.) to stop. Educate them about the dangers of using email to send credit card information. Make sure you don’t respond by including the original email.
  2. Talk to your IT department about the best way to delete this message securely (it’s difficult to get rid of emails on Exchange servers because they journal messages in case they need to be restored someday).
  3. Be sure there is training for employees to know how to handle this situation.

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.