What You Should Know About PCI Compliance And Email Security

Basis Theory’s Take

Long story short: PCI compliance is exceptionally difficult to maintain if you want to use email to share any kind of PII. And doing so will require a technology investment neither you nor your customers are likely to want to make.

Introduction

To process debit and credit card data, businesses must meet the Payment Card Industry’s standards for security. 

However, with email being the preferred form of communication in many industries, businesses may be confused about the impact of PCI compliance on email security and what protections are needed to make sure their company is staying within compliance.

Although emails seem secure, they have four points of vulnerability: 

• The sender’s computer or mobile device, 
• the outgoing email server, 
• the recipient’s MTA server, 
• and the recipient’s computer. 

Cybercriminals can exploit the vulnerabilities in any of these points to gain access to valuable data. So, should you send payment information via email? Let’s dive in.

Are Email Communications Secure?

Email is a convenient way to communicate with employees, other companies, and customers. But its security is questionable when it comes to sending confidential information such as cardholder data, business secrets, contract papers, etc.

When the sender sends an email message, it usually passes through several servers before reaching the recipient. Because of this transmission, there is a risk of email interception between the sending and receiving endpoints. More troublingly, every server that an email carrying PII passes through becomes part of your Cardholder Data Environment (CDE), and therefore adds risk and cost to your enterprise.

According to PCI requirements—which are designed to protect cardholder data—companies need to protect their customers’ information during transit, too. Therefore, sending sensitive information like written-out cardholder data into a standard email means that the data is vulnerable and threatens your compliance record (not to mention the reality that it increases your chances of a data leak).

Requirement 4.1 dictates that you shouldn’t transmit unencrypted credit card data over open public networks; requirement 4.2 also states that you shouldn't transmit unencrypted PANs via messaging technologies like email. To put a fine point on it, without substantial investment and development, email is not nearly secure enough for you to use to transmit PII.

Why Sending Unencrypted Data Via Email Is Risky

It's important to be aware of what an organization needs to do in order to stay PCI compliant when it comes to email security. Sending messages via email typically leaves a trail in sent folders, browser caches, and several servers as well as its final destination. Worse, unless the email is end-to-end encrypted (a non-standard technical setup), it can be captured and read at each mail server it traverses to reach its final destination. Even though email is generally transmitted over https or TLS1.2, including cardholder data into an email message will bring email communication into PCI scope.

The only way to adhere to PCI standards would be to ensure that email messages of cardholder data be end-to-end encrypted. You will also be required by the PCI Security Standards Council (PCI SSC) to detail the measures you’ve put in place to ensure that cardholder data is protected during transit. 

Do credit card numbers in email fall under PCI compliance?

PCI DSS Requirements 4.2 specifies that credit card information should not be captured, transmitted, or stored via end-user messaging technologies such as email. Because unencrypted credit card numbers in received and sent emails are stored in inboxes, trash cans, and web browser caches, securing it is close to impossible.

According to PCI DSS, email, instant messaging, SMS, and chat can be intercepted by software or hardware “sniffing packets” during delivery between internal and public networks. Packet sniffing is a tactic similar to eavesdropping on a telephone network and can be used by hackers to intercept your Internet traffic. While this is a relatively low risk in today’s all-encrypted transmissions, you will need to have a documented process for ensuring your are secure.

However, even if you successfully encrypt the email while it’s in transit, it is hard to guarantee that the receiving party has the same encryption capabilities as the sender. Remember, sending credit card information via email will put not only the sender into PCI scope, but the receiver, as well. So by delivering PII via email, you take on accountability for the security of the recipient’s environment also!.

If you are unfortunate enough to receive an email that contains cardholder data, and which is not end-to-end encrypted, you should have a written process to ensure that, at the very least, you::

• Remind the sender not to forward credit card data via email and explain the dangers of using email to send credit card information.
• Do not reply by including the original email as a reply. Never respond to your customers by adding their initial email (without deleting or masking their credit card number and deleting their CVC code) because by doing so, you can make the problem worse.
• Delete the email containing the credit card information from your inbox, sent folder, drafts folder, and any other folders you may have created. Once this is done, empty your email trash, empty your web browser’s cache (temporary browser files), and empty your computer’s recycle bin or trash.
• Consult your IT department about the most secure manner to delete emails that arrive this way, and make sure everyone in your company is aware of the situation.

How Do You Secure Email Communications and Meet PCI Requirements?

Some of the solutions that can work to meet PCI requirements via email communications include:

1. Use End-to-end email encryption

Many believe email communications are inherently private and secure, but they are not. To ensure privacy and security, companies can use end-to-end encryption, which would mean that only the recipient can decrypt the message. Full end-to-end encryption would also mean that mail servers that are part of the delivery path are also prevented from intercepting or reading the content of the email.

This is a more robust - and challenging to implement - option than standard encryption offered by free email services like Gmail. Free email service providers only encrypt messages during transit from your computer to the SMTP servers. As it proceeds to the recipient, the message is readable. 

However, end-to-end encryption ensures that the message is secured unless you have the private encryption key. This requires both sender and recipient to have agreed on an encryption method, to have shared public keys, and to be technically savvy enough to operate in a non-standard encryption environment; suffice it to say, this is a heavy burden for the average consumer.

2. Train employees on best practices

In addition to the security measures and technologies your organization implements, train employees to maintain compliance. Even when using an end-to-end encrypted email service, a mishandled encryption key could open the door for a cybercriminal to access the email messages. 

Therefore it is paramount to train employees on how to safeguard encryption keys for the safety of the entire organization. Also, educate employees on the techniques used by cybercriminals to access data to help them become more aware of how their own practices could cause data to be compromised.

3. Focus on averting phishing attacks

Cybercriminals understand that the weakest link in a secure system is humans and use this weakness to gain critical access. While larger organizations can invest in phishing prevention technologies, smaller organizations may opt to focus on employee education. If budget allows, the best option is to combine prevention technologies and user education. Organizations can begin by educating users on how it’s carried out, how to identify phishing attacks, and how to handle phishing emails.

Formulate a guideline to help users identify phishing emails. A few common traits of phishing emails are:

• Spelling and grammatical errors, especially in the sender’s information
• Requests for personal information, payment details, or login credentials
• Urgent demands with an unfamiliar tone
• Offers that seem too good to be true

4. Partner with technology providers that support security. 

If communication via email is essential, consider working with a third-party provider that can help you secure information.

One option is to send a link with the private information instead of including the readable information in the body of the email. Using a free tool like sendsecure.ly can give you the option to send private information via a one-time-use secured link with a set expiration date. By adding this extra layer, should an attacker access the email contents after you’ve used the link, the secret information will no longer be available to access.

Is Email Encryption Enough?

You can use email encryption to protect email data, but it doesn’t guarantee the data will not be compromised at some point in transmission. If not fully protected or tokenized, the raw data from your customers could be compromised. 

The best option is to avoid using email communication for sensitive information, as the complications and risks likely will not outweigh the potential benefits.

To maintain PCI compliance in your organization, you are required to provide a compliant solution. While end-users care about data protection, many may not if it comes at the expense of functionality. This means that your organization may have trouble enforcing the use of encrypted emails, which will lead to compliance violations.