PCI Compliance (Transmitted Data Protection)

Hi! I'm working myself through the SAQ-D questionnaire. One of the questions in the "Transmitted Data Protection" section is as follows:

Are policies, procedures, and practices in place to preclude the sending of unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat)?

My question to that is, how do you prevent a customer from e-mailing a credit card number or texting it via Skype, for example?

You can warn them against it, you can have a message on your website saying that it's prohibited or whatever, but how can you actually prevent it? With email, I suppose you can create a filter on the server side that deletes credit card numbers, but it with e-mail, there are usually multiple servers involved in a communication transactions, some of which you wouldn't have any control over. Also, creating a filter seems like a fairly complex thing to do if you need to consider all the different card types and numbers, formats and sequences?

Just wondering has anyone any idea about this.

LVL 21
Julian MatzJoint ChairpersonAsked:
Who is Participating?
Dave BaldwinFixer of ProblemsCommented:
I just downloaded a copy of "pci_saq_d_v2.doc" which appears to be the latest version and I can't find that question in there.  ??

In any case, it's not a matter of preventing the customer from doing that.  You have to make sure that is not part of your system.  Any email that contains sensitive information should be encrypted.
My thought is that the PCI standard is targeted at your company's and employee's processes and that your customer service team or any other employee should not be able to see unencrypted PANs or send them based on your policies.

If you have software developers working on your billing system, they will occasionally have to "fix" accounts or have a reason to de-crypt the entire PAN for a specific customer.  However, their process should be that they don't have the unencrypted PAN unless they absolutely need it, and that they are forbidden from sending it anywhere, even internally.

If a customer sends you their PAN by email, you should have a policy to use it as the customer asks/requests, but to purge it or cleanse it (put XXXX-XXXX-XXXX-XXXX in the email) from your records including email backups.  Your customer service processes should not ask for PANs over email/SMS/IM though.

Let me know if you have more specific questions about this issue, or you can ask a new question about other SAQ items if you need.  I just went through the questionnaire in the past two weeks for our compliance.
Julian MatzJoint ChairpersonAuthor Commented:
Okay, that would make more sense. DaveBaldwin, the SAQ that I'm filling out is an online form in Flash. It was the one I was presented with by Trustwave's TrustKeeper service, I'm not sure what version it is. My merchant bank did send me out a paper one, but it's the SAQ-B form, which is obviously no good to me.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.