BLOG HOME > Data Breaches > Sending Credit Card Info Over Email

Sending Credit Card Info Over Email

Gary Glover
VP Security Assessments

Have an Upcoming PCI Audit Deadline?

Request a Quote

Are emailed credit card numbers in scope for PCI compliance?

Note: This blog was updated on September 12, 2018.

The way you handle sending credit card info might just change your scope for PCI DSS compliance. We often get the question: if you receive primary account numbers (PAN) via email, is your email server in scope of PCI?

If so, then yes, your email server is in scope for PCI security requirements.

SEE ALSO: The 12 Requirements of PCI Compliance

PCI DSS Requirement 4.2 states that credit card information must not be captured, transmitted, or stored via end-user messaging technologies (like email). Here’s why: email leaves trails of unencrypted credit card numbers in inboxes, trashes, web browser caches, etc. As with any end-user technology, it’s extremely difficult to secure.

Get my free SecurityMetrics PCI Guide

Download Now

According to the PCI DSS, e-mail, instant messaging, SMS, and chat can be easily intercepted by “packet-sniffing” software or hardware during delivery across internal and public networks. Packet sniffing is a tactic similar to wiretapping a phone network and can be used by hackers to capture your Internet traffic.

Even if your email server is configured to provide strong encryption when you connect to read your email, you have no guarantee that the receiving end has the same level of encryption. Do not utilize these messaging tools to send PAN unless they are configured to provide strong entire message encryption (PGP, GPG, etc.). Even then, it’s probably just easier to find another way to transfer sensitive credit card data.

If you don’t want your email server to be in scope of your PCI compliance, there are a few things you can do.


If emailing credit card info is a normal business process:

  1. Understand your process must be changed. There is no way for you to be compliant if your normal process requires sending clear text credit cards via unencrypted email.
  1. Either decide to encrypt your email or initiate training for employees to forbid the sending or receiving of customer card data.
  1. Ensure your written policies state unencrypted PAN are never to be sent via email or other end-user technologies.

If one or two credit cards come through email by accident:

  1. Inform the customer (or sales person, etc.) to stop. Educate them about the dangers of using email to send credit card information. Make sure you don’t respond by including the original email.
  1. Talk to your IT department about the best way to delete this message securely. (It’s difficult to get rid of emails on many servers because they journal messages in case they need to be restored someday.)
  1. Be sure there is training for employees to know how to handle this situation.

If you have questions about PCI compliance and emailing credit card info, Data Security, or PCI Audits, contact us here

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Senior Vice President of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Trek quoting skills. Live long and prosper as you read his other blog posts.

Join Thousands of Security Professionals and Subscribe