What To Know About PCI DSS Compliance And Email

On August 14, 2020
6min read
Jordan MacAvoy VP of Marketing @ Reciprocity Labs

Emails are accessible to anyone with an internet connection, thus seem like a viable option for sending information. However, when it comes to sensitive information such as cardholder data, you might want to rethink your messaging options.

Although emails seem secure, they have four points of vulnerability- your computer or mobile device, the outgoing email server, the recipient’s MTA server, and the recipient’s computer. Cybercriminals can exploit the vulnerabilities in any of these points to gain access to your data. You could opt to use a secure connection to send your data; however, if your computer or recipient’s computer is infected with a virus, then your connection isn’t secure.

Are Email Communications Secure?

Email messaging is the go-to communication option for organizations as it’s fast and convenient. Most companies use email messaging to communicate with their employees, other companies, and even their customers. While it’s a convenient option, its security is questionable, especially when sending confidential information such as cardholder data, business secrets, contract papers, etc.

As mentioned earlier, email messages typically pass through several servers before reaching the recipient. The messages in these emails are readable during transit if they travel unprotected. A third party, such as a hacker, can read the messages as they travel from you to your recipient.

According to the PCI requirements, companies are required to protect cardholder data even during transit. However, sending sensitive information such as cardholder data using your standard email means that the data is vulnerable.

Requirement 4.1 dictates that you shouldn’t transmit unencrypted credit card data over open, public networks. Requirement 4.2 also states that you shouldn’t transmit unencrypted PANS via messaging technologies such as email.

Why Sending Unencrypted Data Via Email Is Risky

Sending messages via email typically leaves a trail in your sent folders, browser caches, and several servers before reaching its final destination. If these messages are sent via public networks, cybercriminals can easily intercept the messages and view the contents. This becomes an issue when you’re sending payment card data as you risk data breaches during transit.

If any of the systems or servers are compromised, the payment card information becomes vulnerable to hackers. This is why the PCI standards require that email messages of cardholder data be encrypted.

You will also be required by the PCI Security Standards Council to detail the measures you’ve put in place to ensure that cardholder data is protected during transit. Email communication of cardholder data is considered as part of the Cardholder Data Environment. According to the PCI requirements, your CDE must be protected. Keep in mind that adding email communication to the already complicated PCI scope will further complicate it.

How To Secure Data During Email Communication

Trust plays a big role in transactions, and your customers will not trust you if your business is not PCI compliant. Your customers will provide you with confidential information and expect that you will handle it appropriately. To ensure that the data is handled appropriately, you need to use email encryption instead of the traditional mail.

There are few options which include enterprise email encryption platforms and webmail services for email encryption. Every company or organization that deals with cardholder data should consider investing in email encryption as a basic requirement. There are tons of companies that have suffered dearly due to email leaks, which resulted in the loss of income, reputation, fines, etc. Countries in Europe are embracing email encryption to comply with GDPR such that Denmark has implemented a rule that mandates the use or email encryption for sensitive data. You might want to implement the same in your business to comply with PCI DSS requirements.

Why Should Your Organization Comply With PCI Requirements?

Since there is no law dictating that your organization has to comply with the PCI requirements, it’s easy to think that you can avoid compliance. It’s possible that you can avoid compliance, especially when dealing with messaging platforms. However, keep in mind that there are consequences to non-compliance, and they include:

  • Suspension of Merchant Accounts: The PCI Security Standards Council comprises card companies such as Visa, Mastercard, American Express, JCB, Discover, etc. These card companies can decide to revoke your ability to transact or accept credit card payments. The decision is often influenced by your PCI compliance; therefore, non-compliance might result in the revocation of your privileges.
  • Litigation: If your organization experiences a data breach that results in loss of sensitive data such as cardholder data, your clients and partners can opt to take legal measures against your organization.
  • Fines: Credit card companies and banks will not hesitate to impose fines on your business due to security breaches resulting from non-compliance.
  • Loss of reputation and revenue: Customers provide you with sensitive information hoping that you have security measures in place to protect their data. However, if your business experiences a data breach that exposes customer data, they’ll not hesitate to leave. Once customers lose confidence in your ability to protect their data, they’ll opt to switch to another company that values their business. This typically results in loss of reputation and, ultimately, a decline in revenue as well as profit.

How Do You Meet PCI Requirements?

The first step to meeting the set requirements is to understand the twelve PCI requirements and how they relate to your business. In this case, the subject in question is email communication of sensitive data. Some of the solutions that can work include:

1.  End-to-end encryption

Email communications are widely considered private and secure, which they are not. To ensure privacy and security, companies can use end-to-end encryption, which would mean that only the recipient can decrypt the message. Full end-to-end encryption would also mean that even service providers cannot read the messages to sort them into folders. This is a better option compared to the standard encryption offered by email services such as Hotmail and Gmail. The message is only encrypted during transit from your computer to the SMTP servers. As it proceeds to the recipient, the message is readable. However, end-to-end encryption ensures that the message is uncrackable unless you have the private encryption key.

2.  Educate and train your employees

In addition to the security measures and technologies that you implement, you also need to train your employees to maintain compliance. Even when using an end-to-end encrypted email service, you need an encryption key that is provided to the user’s account. If your employee mishandles this encryption key, a cybercriminal can use the key to sift through your emails. This is why you need to train your employees on how to safeguard their encryption keys. Also, educate your employees on the techniques used by cybercriminals to siphon data or install malware.

3.  Phishing prevention

Cybercriminals understand that small businesses hold valuable information and have struggling IT departments due to their limited budgets. They opt to use the weakest link (humans) in a secure system to gain critical access. Big companies can invest in phishing prevention technologies, but smaller businesses can opt to focus on more cost-effective strategies such as employee education. However, a better option is to combine prevention technologies and user education. You can start by educating users on phishing, how it’s carried out, how to prevent phishing, how to identify phishing, and how to handle phishing emails.

Formulate a guideline to help users identify phishing emails. For example, if you notice spelling or grammatical error, or unsolicited messages asking for personal information, these are red flags. This is because an established brand would invest in professional copywriters, and they never request sensitive information such as cardholder data via email. However, keep in mind that cybercriminals are continually changing their phishing techniques; thus, your business should also adapt to these changes.

Test Your Email Now

Wrapping It Up

You can opt to use email encryption to protect the data, but the encryption might complicate messaging or could be compromised. Even when using encrypted emails, you still have the raw data in your system or servers, which can be compromised. Another issue is that your recipient might not have a secure connection, which can be exploited to access the data. Your best option is to avoid using email communication for sensitive information, as you’ll only complicate your PCI compliance.

If you have no option but to use email for sensitive information, ensure that your solution complements the existing email. Ideally, you want a solution that doesn’t compromise functionality to encourage adoption by your end-users. The solution that you choose should not only be PCI compliant but also integrate seamlessly with the existing platforms. It should also enable secure communication from any device, including Windows, iPhone, Android, iOS, BlackBerry, etc.

To maintain compliance, all parties must play their role as expected. As the business, you are required to provide a compliant solution. This solution should be flexible and easy to use. If not, users will get frustrated easily and opt not to use the encrypted emails instead use other means that aren’t encrypted. End-users care about data protection but not if it comes at the expense of functionality. This means that your business will have trouble enforcing the use of encrypted emails, which will lead to compliance violations. 

Article by Jordan MacAvoy VP of Marketing @ Reciprocity Labs

Jordan MacAvoy is the Vice President of Marketing at Reciprocity Labs and manages the company’s go-to-market strategy and execution. Prior to joining Reciprocity, Mr. MacAvoy served in executive roles at Fundbox, a Forbes Next Billion Dollar Company, and Intuit, via their acquisition of the SaaS marketing and communications solution, Demandforce.