Skip to content
    Picture of Basis Theory ·
    PCI Compliance

    PCI Compliance And Email Security

    PCI compliance with email

     

    To process debit and credit card data, businesses must meet the Payment Card Industry’s standards for security.

    However, with email being the preferred form of communication in many industries, businesses may be confused about the impact of PCI compliance on email security and the protections needed to ensure their company remains compliant.

    Although emails seem secure, they have four points of vulnerability: 

    • Sender’s computer or mobile device.
    • Outgoing email server.
    • Recipient’s MTA server. 
    • Recipient’s computer. 

    Cybercriminals can exploit the vulnerabilities in any of these points to gain access to valuable data. Email is a convenient way to communicate with employees, other companies, and customers. When the sender sends an email message, it usually passes through several servers before reaching the recipient. Because of this transmission, there is a risk of email interception between the sending and receiving endpoints.

    More troublingly, every server that an email carrying PII passes through becomes part of your Cardholder Data Environment (CDE), and therefore adds risk and cost to your enterprise.

    According to PCI requirements—which are designed to protect cardholder data—companies need to protect their customers’ information during transit, too. Therefore, sending sensitive information, such as written cardholder data, in a standard email makes it vulnerable and threatens your compliance record (not to mention the fact that it increases your chances of a data leak).

    Requirement 4.1 dictates that you shouldn’t transmit unencrypted credit card data over open public networks; requirement 4.2 also states that you shouldn't transmit unencrypted PANs via messaging technologies like email. To put a fine point on it, without substantial investment and development, email is not nearly secure enough for you to use to transmit PII.

    It's important to understand what an organization needs to do to remain PCI-compliant regarding email security. Sending messages via email typically leaves a trail in sent folders, browser caches, and several servers as well as its final destination. Worse, unless the email is end-to-end encrypted (a non-standard technical setup), it can be captured and read at each mail server it traverses to reach its final destination. Even though email is generally transmitted over HTTPS or TLS 1.2, including cardholder data in an email message will bring email communication into the PCI scope.

    The only way to adhere to PCI standards would be to ensure that email messages of cardholder data be end-to-end encrypted. You will also be required by the PCI Security Standards Council (PCI SSC) to detail the measures you’ve put in place to ensure that cardholder data is protected during transit. 

    Do credit card numbers in email fall under PCI compliance? 

    PCI DSS Requirements 4.2 specifies that credit card information should not be captured, transmitted, or stored via end-user messaging technologies such as email. Because unencrypted credit card numbers in received and sent emails are stored in inboxes, trash cans, and web browser caches, securing it is close to impossible.

    According to PCI DSS, email, instant messaging, SMS, and chat can be intercepted by software or hardware “sniffing packets” during delivery between internal and public networks. Packet sniffing is a tactic similar to eavesdropping on a telephone network and can be used by hackers to intercept your Internet traffic. While this is a relatively low risk in today’s all-encrypted transmissions, you will need to have a documented process for ensuring your are secure.

    However, even if you successfully encrypt the email while it’s in transit, it is hard to guarantee that the receiving party has the same encryption capabilities as the sender. Remember, sending credit card information via email puts not only the sender but also the receiver into PCI scope. So by delivering PII via email, you take on accountability for the security of the recipient’s environment also!.

    If you are unfortunate enough to receive an email that contains cardholder data, and which is not end-to-end encrypted, you should have a written process to ensure that, at the very least, you::

    • Remind the sender not to forward credit card data via email and explain the dangers of using email to send credit card information.
    • Do not reply by including the original email as a reply. Never respond to your customers by adding their initial email (without deleting or masking their credit card number and their CVC code), because doing so can make the problem worse.
    • Delete the email containing the credit card information from your inbox, sent folder, drafts folder, and any other folders you may have created. Once this is done, empty your email trash, empty your web browser’s cache (temporary browser files), and empty your computer’s recycle bin or trash.
    • Consult your IT department about the most secure manner to delete emails that arrive this way, and make sure everyone in your company is aware of the situation.

    Return to Top

    How do you secure email and meet PCI requirements? 

    Some of the solutions that can work to meet PCI requirements via email communications include:

    Use End-to-End Email Encryption

    Many believe email communications are inherently private and secure, but they are not. To ensure privacy and security, companies can use end-to-end encryption, which would mean that only the recipient can decrypt the message. Full end-to-end encryption would also mean that mail servers along the delivery path are prevented from intercepting or reading the email content.

    This is a more robust and more challenging-to-implement option than the standard encryption offered by free email services like Gmail. Free email service providers only encrypt messages during transit from your computer to the SMTP servers. As it proceeds to the recipient, the message is readable. 

    However, end-to-end encryption ensures that the message is secured unless you have the private encryption key. This requires both sender and recipient to have agreed on an encryption method, to have shared public keys, and to be technically savvy enough to operate in a non-standard encryption environment; suffice it to say, this is a heavy burden for the average consumer.

    Train Employees on Best Practices

    In addition to the security measures and technologies your organization implements, train employees to maintain compliance. Even when using an end-to-end encrypted email service, a mishandled encryption key could open the door for a cybercriminal to access the email messages. 

    Therefore it is paramount to train employees on how to safeguard encryption keys for the safety of the entire organization. Also, educate employees on the techniques used by cybercriminals to access data to help them become more aware of how their own practices could cause data to be compromised.

    Focus on Averting Phishing Attacks

    Cybercriminals understand that the weakest link in a secure system is humans and use this weakness to gain critical access. While larger organizations can invest in phishing prevention technologies, smaller organizations may opt to focus on employee education. If budget allows, the best option is to combine prevention technologies and user education. Organizations can begin by educating users on how it’s carried out, how to identify phishing attacks, and how to handle phishing emails.

    Formulate a guideline to help users identify phishing emails. A few common traits of phishing emails are:

    • Spelling and grammatical errors, especially in the sender’s information.
    • Requests for personal information, payment details, or login credentials.
    • Urgent demands with an unfamiliar tone.
    • Offers that seem too good to be true.

    Partner with Technology Providers that Support Security

    If email communication is essential, consider working with a third-party provider to help you secure information.

    One option is to send a link with the private information instead of including the readable information in the body of the email. Using a free tool like sendsecure.ly lets you send private information via a one-time-use, secure link with an expiration date. By adding this extra layer, if an attacker accesses the email contents after you’ve used the link, the secret information will no longer be available.

    Return to Top

    Is Email Encryption Enough? 

    You can use email encryption to protect email data, but it doesn’t guarantee the data will not be compromised at some point in transmission. If not fully protected or tokenized, the raw data from your customers could be compromised. 

    The best option is to avoid using email for sensitive information, as the complications and risks are likely to outweigh the potential benefits.

    To maintain PCI compliance in your organization, you are required to provide a compliant solution. While end-users care about data protection, many may not if it comes at the expense of functionality. This means your organization may struggle to enforce the use of encrypted email, leading to compliance violations. 

    Return to Top

     

    View an Interactive Demo   See how the Basis Theory platform secures payment data and significantly reduces PCI compliance burden from day 1.  

    Stay Connected

    Receive the latest updates straight to your inbox