Email & PCI Compliance: How to Avoid Costly Violations
If your business sends or receives credit card info over email, does your email need to be PCI compliant? We’ve dug through the PCI requirements to answer that question.
Can email be PCI compliant? Yes, email can be PCI compliant if the email is encrypted. However, most email is not encrypted or protected which then makes sending or storing credit card information via email noncompliant.
What Is PCI Compliance and What Does That Mean for Email?
PCI is a compliance framework for payment processors, retailers, merchants or any organization accepting credit or debit cards for payment. There are 12 requirements in the PCI framework:
- Utilize firewalls to protect cardholder data
- Use unique configurations and passwords for security systems
- Protect cardholder data
- Encrypt data transmissions over public networks
- Use updated anti-malware software
- Develop and maintain secure systems and applications
- Restrict access to private data
- Assign a unique ID to each user accessing your systems
- Restrict physical access to cardholder data
- Track and monitor user access to network resources
- Perform regular testing on security systems
- Maintain a policy for information security and personnel
These requirements apply to any and all systems, departments and technologies through which personal financial information passes. This includes any system that has credit card numbers, PINs, customer names and addresses, or magnetic stripe/EMV chip data.
Are Emailed Credit Card Numbers in the Scope of PCI Compliance?
Per PCI requirements, credit card information should not be captured, transmitted or stored via unprotected servers and electronic mail. This is because these systems and protocols traditionally store and transmit information as clear text, i.e., unencrypted data that can be read by anyone, including unauthorized employees, hackers, cybercriminals, and identity thieves.
Furthermore, even with encrypted data, you have no guarantees that the person you share credit card data with is encrypting the data or keeping those messages private. Sharing any sensitive data via email therefore creates significant risk.
Why Maintain PCI Compliance?
Simply put, PCI compliance is a necessary part of accepting credit card payments from customers. PCI isn’t mandated or enforced by the government (as is the case for frameworks in industries like manufacturing, defense or healthcare). Instead, it is defined by credit card processors like Visa, Mastercard and American Express. Furthermore, most contracts in which you or a vendor agree to process payments will include stipulations for PCI compliance.
Maintaining PCI compliance is important for a few basic reasons:
- Avoidance of penalties associated with noncompliance, including fines from credit card processors up to $100,000 per month.
- Mitigation of chargebacks and cases of fraud due to lax security.
- Upkeep of your merchant account (necessary to process payments) through upholding compliance and keeping a low chargeback or fraud ratio.
- Protecting the information of your customers, maintaining your brand and generally serving your market ethically and responsibly.
The need for PCI compliance stems from retailers sharing customer information unsecurely, which has led to costly data breaches.
Difficulties Posed by PCI Noncompliance
Failure to comply with PCI can present significant difficulties to organizations. These difficulties can include hefty fines, reputational damage, and litigation. Additionally, organizations may have to invest more resources into systems and security personnel to ensure their systems are compliant with PCI standards, which can create significant financial costs in the form of training, hardware, and software upgrades.
Noncompliance can also create significant technical difficulties, as organizations may be unable to use certain hardware or software that isn’t compliant with PCI standards. As a result, organizations must constantly monitor how they share data regulated by PCI as well as the data security practices and hardware/software solutions in place to protect this data, all in an effort to ensure they remain compliant or risk the serious issues associated with noncompliance.
What Are the PCI Compliance Levels and How Are They Determined?
The Payment Card Industry (PCI) Data Security Standard (DSS) has four levels of compliance determined by the number of annual credit card transactions a company processes.
Level 1 – over 6 million transactions per year
Level 2 – 1 million to 6 million transactions per year
Level 3 – 20,000 to 1 million transactions per year
Level 4 – less than 20,000 transactions per year
Organizations that process, store, or transmit credit card data must comply with the requirements specified at each level. The higher the level of compliance, the more stringent the requirements. For example, a Level 1 organization must undergo an annual on-site audit by a qualified security assessor, while a Level 4 organization may be able to self-assess.
Top Five PCI Compliance Breach Types
Organizations that violate PCI DSS typically do so for the following reasons:
- Failure to Implement Required Security Updates: This includes not installing security patches and updates on systems in accordance with PCI standards, which can lead to vulnerabilities that attackers can exploit.
- Weak Passwords: Using weak passwords or reusing passwords across multiple accounts can create a vulnerability in your system if an attacker were to gain access to one of the accounts.
- Unsecured Wi-Fi Networks: Wireless networks are not as secure as hardwired systems and can be easily breached if not properly secured.
- Insufficient Access Controls: Failing to implement and/or maintain controls to limit access to confidential data can lead to data theft or other malicious activities.
- Not Monitoring for Security Events: Failing to set up or maintain a system for monitoring and responding to security events can lead to the detection and exploitation of security vulnerabilities. This can include not logging certain activities, such as system logins and changes, which can be useful for detecting compromised accounts.
How Can I Use Email in a PCI-compliant Way?
If you can’t use standard email to achieve PCI-compliance, how do you conduct business effectively?
You can actually adopt technologies that stay PCI compliant while leveraging traditional Internet technologies. Your goal is to create a Secure Cardholder Data Environment (CDE) where customer data is not compromised. This is accomplished with both compliant internal practices and careful partnerships with technology providers. These practices include:
- Do not mail credit card information. Self-explanatory but it bears repeating that you should never include customer financial or payment information in a letter, including an invoice with extensive customer information.
- Use secure messaging through electronic mail as necessary, especially when customer data or payment information is involved. This includes sending secure links that bring users to compliant servers that leverage encryption and user access controls.
- Adopt technologies that support enterprise functionality. While you won’t be mailing customer data, you will need to transmit it for a variety of purposes. Using a secure managed file transfer (MFT) platform for PCI-compliant file sharing, information governance and data management can support compliance with several PCI requirements.
- Partner with technology providers that support security. If you work with a cloud or SaaS vendor, ensure they include or support key security features like PCI-compliant SFTP (with the latest encryption), SIEM services, multi-factor authentication, firewall and anti-malware software.
- Train your employees. This includes periodic training, and documentation of that training, on how to use new and existing technologies and platforms in a secure manner that will comply with PCI requirements.
- Leverage technologies with immutable audit trails. Logging and audits are critical for PCI compliance, so use platforms that provide unbroken chains of evidence for all security and data access events.
Protect Credit Card Data and Achieve PCI Compliance With the Kiteworks Platform
With stringent controls required to transmit credit card data via email, it’s critical that you are using secure tools to do so. The Kiteworks platform provides PCI-compliant servers that protect customer data for file transfers and email. That’s because the Kiteworks platform contains critical capabilities including:
- Secure Email: Send secure links that direct recipients to an encrypted server to read messages and download files. Sensitive credit card data stays secure and PCI compliant without sacrificing functionality.
- Compliant Servers: Our cloud and on-prem servers are 100% PCI compliant, using the proper controls for user access, encryption and more that meet the 12 requirements of the PCI framework. This includes AES-256 encryption for data at rest and TLS 1.2 or higher for data in-transit.
- Enterprise Data Visibility: Our CISO Dashboard provides the visibility and reporting needed to track every file that enters or leaves your organization, including who sent it and received it and what channel was used (email, MFT, SFTP, etc.) to demonstrate compliance with PCI and other data privacy regulations like GDPR, HIPAA, CCPA, etc..
Learn more about how the Kiteworks platform can secure your email, schedule a custom demo of Kiteworks today.
- Article PCI Compliance Overview: Requirements, Standards & Solutions
- Blog Post Sending PII Over Email: Security & Compliance Considerations
- Article The Importance of Third-party Risk Management
- Article What Is Integrated Risk Management? IRM vs. GRC vs. ERM
- Blog Post What Are Data Compliance Standards?