PCI Compliance and Email Security

It is common knowledge that sensitive information such as payment card data should not be sent via email in an unencrypted state. There are too many information security risks and too many opportunities for attackers to get hold of this data.

Therefore, the Payment Card Industry Data Security Standard (PCI DSS) contains specific requirements for transmitting cardholder information over open networks, including email and other messaging technologies.

See Also: Email Security Best Practices

Fortunately, encryption technologies provide more excellent protection of sensitive data, even in email communications. However, encrypted emails make it more difficult and costly to conduct certain email communications with users while still keeping your business in PCI DSS Compliance.

Although emails may seem safe, four components can pose a security vulnerability. These components are your computer or mobile device, the outgoing email server, the recipient’s MTA server, and the recipient’s computer.

Cybercriminals can exploit vulnerabilities at any of these points to gain access to your data. You may choose to use a secure connection to submit your data; however, your connection and data are not secure if your computer or your recipient’s computer is infected.

Are Email Communications Secure?

Email messaging is a top communication option for organizations as it is fast and convenient. Most businesses connect with their staff, other companies, and even customers using email. While email is often a viable option, its security can be questioned, especially when sending confidential and sensitive information such as cardholder data, trade secrets, contract documents.

As we mentioned earlier, email messages usually go through several servers before reaching the recipient. These emails’ messages can be read in transit if they are not encrypted. Messages sent from you to your recipient can be read by a third party, such as a hacker.

See Also: What You Need to Know About Encrypted Communication

Sending a message via email often leaves a trace in your sent folders, browser caches, and several servers before reaching its final destination. If these messages are sent over public networks, cybercriminals can easily intercept the messages and view the content. This becomes an issue when sending payment card data as you risk data breaches in transit against PCI DSS Requirements.

Payment card information becomes susceptible to hackers if any of the systems or servers are compromised. Therefore, PCI standards require that email messages containing cardholder data be encrypted.

In addition, PCI DSS requires you to detail the measures you have taken to ensure cardholder data is protected in transit. Email communication of cardholder data is considered part of the Cardholder Data Environment. According to PCI requirements, your CDE must be protected. Note that adding email communication to the already complex PCI scope will complicate it even more.

Companies must protect cardholder data even in transit, according to PCI requirements, and transmitting sensitive information like cardholder data via regular email exposes the data to risk.

PCI Requirement 4.1 states that you should not transmit unencrypted credit card data over open, public networks. In addition, PCI Requirement 4.2 states that you should not transmit unencrypted card data via messaging technologies such as email.

Do email credit card numbers fall under PCI compliance?

The way you submit credit card information can change your scope for PCI DSS compliance. And yes, your email server is covered by PCI security requirements.

PCI DSS Requirement 4.2 specifies that credit card information should not be captured, transmitted, or stored via end-user messaging technologies such as email. Because unencrypted credit card numbers in received and sent emails are stored in inboxes, trash cans, and web browser caches. As with any end-user technology, securing it is challenging.

See Also: Securing Card Data in Transit: PCI DSS Requirement 4

According to PCI DSS, email, instant messaging, SMS, and chat can be easily intercepted by software or hardware “sniffing packets” during delivery between internal and public networks. Packet sniffing is a tactic similar to eavesdropping on a telephone network and can be used by hackers to intercept your Internet traffic.

You can’t guarantee that the receiving party has the same level of encryption as your email server when you connect to read your email. Do not use these messaging tools to send card data unless configured to provide strong full message encryption such as PGP or GPG.

If you do not want your email server to be within the scope of your PCI compliance, you can follow the steps below:

  • If emailing credit card information is your normal business process, your process needs to be changed. If your normal process requires you to send clear text credit cards via unencrypted email, there is no way you can be PCI compliant.
  • Either encrypt your email or implement training to prevent staff from sending or receiving customer card info.
  • Ensure your written policies state that unencrypted credit card data is never sent via email or other end-user technology.
  • Inform your customer or sender not to forward their credit card data via email if one or two credit card data is accidentally received via email. Inform them about the dangers of using email to send credit card information.
  • Make sure you don’t reply by adding the original email as a reply. Never respond to your customers by adding their initial email (without deleting or masking their credit card number and deleting their CVC code) because by doing so, you can make the problem worse.
  • Delete the email containing the credit card information from your inbox, sent folder, drafts folder, and any other folders you may have created. Once this is done, empty your email trash, empty your web browser’s cache (temporary browser files), and empty your computer’s recycle bin or trash.
  • Consult your IT department about the most secure manner to delete emails that arrive this way, and make sure everyone in your company is aware of the situation.

How to Secure Data During Email Communication

You should use email encryption rather than traditional mail to ensure that data is handled appropriately. Several options include corporate email encryption platforms and webmail services for email encryption.

See Also: Why Email Server Security Matters

Any organization dealing with cardholder data should consider investing in email encryption as a basic necessity. Many organizations suffer losses such as revenue, reputation, fines due to email leaks.

See Also: Public Key Cryptography and PGP Fundamentals

Credit card information should not be captured, sent, or stored via email, according to PCI DSS standard 4.2. What’s more, it’s critical to realize that email written in plain text and kept without encryption leaves copies in inboxes, sent folders, draft folders, email trash, web browser caches, and computer recycle bins.

1. End-to-end encryption

Email is widely assumed to be private and secure; however, this is not the case. Companies can use end-to-end encryption to ensure privacy and security, which means only the recipient can decrypt the message.

Full end-to-end encryption means that even service providers cannot read messages. Full end-to-end encryption is a better option than the standard encryption offered by email services.

The message is encrypted only during transit from your computer to SMTP servers. As it progresses to the recipient, the message becomes readable. But end-to-end encryption ensures that the message is unbreakable unless you have a private encryption key.

2. Train your employees

You must also train your personnel to maintain compliance, in addition to the security measures and technology you implement. You’ll need an encryption key delivered to the user’s account even if you’re utilizing an end-to-end encrypted email provider.

If your employee misuses this encryption key, an attacker could use the key to intercept your emails. That’s why you need to train your employees on how to protect their encryption keys. Also, train your staff on the techniques cybercriminals use to leak data and install malware.

3. Anti-phishing

Cybercriminals prefer to use the weakest link in a secure system, people, to gain critical access to systems. Large companies can invest in anti-phishing technologies, but smaller businesses may focus on more cost-effective strategies such as employee training.

However, combining preventative technologies with user education is a superior choice. You can begin by informing consumers about phishing and how it works, and how to avoid phishing, spot phishing, and respond to phishing emails.

Make a tutorial to assist users in recognizing phishing emails. These are red signals, for example, if you detect spelling or grammatical issues or if you receive spam emails requesting personal information.

This is because an established brand invests in professional copywriters, and they never ask for sensitive information like cardholder data via email. But keep in mind that cybercriminals are constantly changing their phishing techniques; therefore, your business must also adapt to these changes.

How Should Email Communication Be for PCI DSS Compliance?

Sending or receiving PCI data such as Primary Account Numbers (PANs) and credit card information via email is always risky. PCI DSS Requirement 4.1 specifies that unencrypted credit card information should not be transmitted over open networks such as the internet, wireless networks, GSM, or GPRS.

Similarly, PCI DSS Requirement 4.2 requires that end-user messaging technologies should never send unencrypted PANs.

Typically, email messages are sent and stored in plain text, leaving a trace of copies in sent folders, draft folders, inboxes, browser caches, and email trash folders.

Delivery of unprotected email text on public networks offers several opportunities for attackers to obtain cardholder data; therefore, it is critical to prevent them from viewing the data.

When it comes to payment card data such as cardholder names, expiration dates, or credit card numbers, every location where the data passes becomes a risk point for sensitive data breaches.

Companies can send PCI data via email, but this sensitive data needs to be encrypted. That’s why PCI Requirement 4 instructs businesses to encrypt the transmission of cardholder data over open, public networks. This way, companies can forward payment card information via email and remain PCI compliant.

Suppose your organization’s business model includes the need to send or receive PANs to customers. In that case, your data security policies should specify how this information is protected to ensure or maintain your compliance.

Given that most businesses prefer to communicate via email, implementing a secure email and digital communications infrastructure is critical for PCI compliance. An alert can be provided when sensitive private information is added to an email, such as an attachment with multiple credit card numbers, or if the message was sent to a new contact or various recipients.

In addition, additional email security measures such as encryption of personal data and 2-factor authentication protection will increase security.

Is Email Encryption Safe For Credit Card Information?

PCI DSS focuses on protecting credit card data that touches your company’s systems and networks. It focuses on the sum of all these places where PCI data can be found and is referred to as your Cardholder Data Environment (CDE), which falls under PCI Compliance.

All your CDEs need to be protected according to PCI compliance. By using encrypted email transmissions containing PCI data, your business effectively extends its CDE to these locations. For organizations looking to narrow the scope of PCI, encrypted emails are certainly not helpful.

It also means that while encryption keeps the mail delivery system out of PCI scope, the email recipient must use sophisticated technology and immerse themselves in PCI scope to view data and not see certain content at all.

You can choose to use email encryption to protect data, but encryption can make messaging difficult or compromised. Even when using encrypted emails, you still have raw data on your system or servers that can be compromised.

Another problem may be that your recipient does not have a secure connection that can be used to access the data. Your best bet is to avoid using email communication for sensitive information, as this will only complicate your PCI compliance.

If you have no choice but to use email for sensitive information, make sure your solution complements existing email. Ideally, it would be best to use a solution that doesn’t compromise functionality to encourage adoption by your end-users.

The secure email solution you choose should not only be PCI compliant but also integrate seamlessly with existing platforms. It should also provide secure communication from any device.

The secure email solution you use for PCI compliance should be flexible and easy to use. Otherwise, users will be easily frustrated and prefer not to use encrypted emails instead of other unencrypted ways.

End users value data protection, but not at the expense of functionality. This means your business will have trouble enforcing the use of encrypted emails, which will lead to compliance violations.

But the one thing PCI doesn’t protect is human error. You can tell your customers or partners not to email credit card information when you request it, but that won’t prevent someone from using email if there’s a problem with the payment system.

Surkay Baykara
Surkay Baykarahttps://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Cyberwise. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Cyberwise, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

Managing Cyber Risk in the Age of Cloud Computing

The cloud delivers game-changing capabilities but also surfaces new cyber risks requiring an evolved security perspective. However, as more sensitive data and critical systems move to the cloud, businesses must adapt their cybersecurity strategies to effectively manage emerging risks.

The Controversy and Importance of Ethical Hacking

Ethical hackers are essentially people who can use the same techniques as cyber criminals, but they do not use them to steal information.

VPN uses: 7 things you didn’t know a VPN could do

Virtual Private Networks, or VPNs, are mostly used for online privacy. But they are much more than that and can help you in various situations.

Related posts

Latest posts

Managing Cyber Risk in the Age of Cloud Computing

The cloud delivers game-changing capabilities but also surfaces new cyber risks requiring an evolved security perspective. However, as more sensitive data and critical systems move to the cloud, businesses must adapt their cybersecurity strategies to effectively manage emerging risks.

The Controversy and Importance of Ethical Hacking

Ethical hackers are essentially people who can use the same techniques as cyber criminals, but they do not use them to steal information.

VPN uses: 7 things you didn’t know a VPN could do

Virtual Private Networks, or VPNs, are mostly used for online privacy. But they are much more than that and can help you in various situations.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!