Email & PCI Compliance: How to Avoid Costly Violations
If your business sends or receives credit card info over email, does your email need to be PCI compliant? We’ve dug through the PCI requirements to answer that question.
Can email be PCI compliant? Yes, email can be PCI compliant if the email is encrypted. However, most email is not encrypted or protected which then makes sending or storing credit card information via email non-compliant.
What is PCI Compliance and What Does that Mean for Email?
PCI is a compliance framework for payment processors, retailers, merchants or any organization accepting credit or debit cards for payment. There are 12 requirements in the PCI framework:
- Utilize firewalls to protect cardholder data
- Use unique configurations and passwords for security systems
- Protect cardholder data
- Encrypt data transmissions over public networks
- Use updated anti-malware software
- Develop and maintain secure systems and applications
- Restrict access to private data
- Assign a unique ID to each user accessing your systems
- Restrict physical access to cardholder data
- Track and monitor user access to network resources
- Perform regular testing on security systems
- Maintain a policy for information security and personnel
These requirements apply to any and all systems, departments and technologies through which personal financial information passes. This includes any system that has credit card numbers, PINs, customer names and addresses, or magnetic stripe/EMV chip data.
Per PCI requirements, credit card information should not be captured, transmitted or stored via unprotected servers and electronic mail. This is because these systems and protocols traditionally store and transmit information as clear text, i.e., unencrypted data that can be read by anyone, including unauthorized employees, hackers, cybercriminals, and identity thieves.
Furthermore, even with encrypted data, you have no guarantees that the person you share credit card data with is encrypting the data or keeping those messages private. Sharing any sensitive data via email therefore creates significant risk.
Why Maintain PCI Compliance?
Simply put, PCI compliance is a necessary part of accepting credit card payments from customers. PCI isn’t mandated or enforced by the government (as is the case for frameworks in industries like manufacturing, defense or healthcare). Instead, it is defined by credit card processors like Visa, Mastercard and American Express. Furthermore, most contracts in which you or a vendor agree to process payments will include stipulations for PCI compliance.
Maintaining PCI compliance is important for a few basic reasons:
- Avoidance of penalties associated with non-compliance, including fines from credit card processors up to $100,000 per month.
- Mitigation of chargebacks and cases of fraud due to lax security.
- Upkeep of your merchant account (necessary to process payments) through upholding compliance and keeping a low chargeback or fraud ratio.
- Protecting the information of your customers, maintaining your brand and generally serving your market ethically and responsibly.
The need for PCI compliance stems from retailers sharing customer information unsecurely, which has led to costly data breaches.
How Can I Use Email in a PCI-Compliant Way?
If you can’t use standard email to achieve PCI-compliance, how do you conduct business effectively?
You can actually adopt technologies that stay PCI compliant while leveraging traditional Internet technologies. Your goal is to create a Secure Cardholder Data Environment (CDE) where customer data is not compromised. This is accomplished with both compliant internal practices and careful partnerships with technology providers. These practices include:
- Do not mail credit card information. Self-explanatory but it bears repeating that you should never include customer financial or payment information in a letter, including an invoice with extensive customer information.
- Use secure messaging through electronic mail as necessary, especially when customer data or payment information is involved. This includes sending secure links that bring users to compliant servers that leverage encryption and user access controls.
- Adopt technologies that support enterprise functionality. While you won’t be mailing customer data, you will need to transmit it for a variety of purposes. Using a secure managed file transfer (MFT) platform for PCI-compliant file sharing, information governance and data management can support compliance with several PCI requirements.
- Partner with technology providers that support security. If you work with a cloud or SaaS vendor, ensure they include or support key security features like PCI-compliant SFTP (with the latest encryption), SIEM services, multi-factor authentication, firewall and anti-malware software.
- Train your employees. This includes periodic training, and documentation of that training, on how to use new and existing technologies and platforms in a secure manner that will comply with PCI requirements.
- Leverage technologies with immutable audit trails. Logging and audits are critical for PCI compliance, so use platforms that provide unbroken chains of evidence for all security and data access events.
Protect Credit Card Data and Achieve PCI Compliance With the Accellion Kiteworks Platform
With stringent controls required to transmit credit card data via email, it’s critical that you are using secure tools to do so. The Accellion Kiteworks content firewall platform provides PCI-compliant servers that protect customer data for file transfers and email. That’s because the Kiteworks platform contains critical capabilities including:
- Secure Email: send secure links that direct recipients to an encrypted server to read messages and download files. Sensitive credit card data stays secure and PCI compliant without sacrificing functionality.
- Compliant Servers: Our cloud and on-prem servers are 100% PCI compliant, using the proper controls for user access, encryption and more that meet the 12 requirements of the PCI framework. This includes AES-256 encryption for data at rest and TLS 1.2 or higher for data in-transit.
- Enterprise Data Visibility: Our CISO Dashboard provides the visibility and reporting needed to track every file that enters or leaves your organization, including who sent it and received it and what channel was used (email, MFT, SFTP, etc.) to demonstrate compliance with PCI and other data privacy regulations like GDPR, HIPAA, CCPA, etc..
Learn more about Accellion secure email, download our ebook and discover 5 Best Practices For Ensuring Email Privacy.