PCI Compliance (Transmitted Data Protection)

Posted on 2011-10-11
Medium Priority
Last Modified: 2012-05-12
Hi! I'm working myself through the SAQ-D questionnaire. One of the questions in the "Transmitted Data Protection" section is as follows:

Are policies, procedures, and practices in place to preclude the sending of unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat)?

My question to that is, how do you prevent a customer from e-mailing a credit card number or texting it via Skype, for example?

You can warn them against it, you can have a message on your website saying that it's prohibited or whatever, but how can you actually prevent it? With email, I suppose you can create a filter on the server side that deletes credit card numbers, but it with e-mail, there are usually multiple servers involved in a communication transactions, some of which you wouldn't have any control over. Also, creating a filter seems like a fairly complex thing to do if you need to consider all the different card types and numbers, formats and sequences?

Just wondering has anyone any idea about this.

Question by:Julian Matz
LVL 84

Accepted Solution

Dave Baldwin earned 1000 total points
ID: 36952832
I just downloaded a copy of "pci_saq_d_v2.doc" which appears to be the latest version and I can't find that question in there.  ??

In any case, it's not a matter of preventing the customer from doing that.  You have to make sure that is not part of your system.  Any email that contains sensitive information should be encrypted.
LVL 12

Assisted Solution

freshcontent earned 1000 total points
ID: 36963829
My thought is that the PCI standard is targeted at your company's and employee's processes and that your customer service team or any other employee should not be able to see unencrypted PANs or send them based on your policies.

If you have software developers working on your billing system, they will occasionally have to "fix" accounts or have a reason to de-crypt the entire PAN for a specific customer.  However, their process should be that they don't have the unencrypted PAN unless they absolutely need it, and that they are forbidden from sending it anywhere, even internally.

If a customer sends you their PAN by email, you should have a policy to use it as the customer asks/requests, but to purge it or cleanse it (put XXXX-XXXX-XXXX-XXXX in the email) from your records including email backups.  Your customer service processes should not ask for PANs over email/SMS/IM though.

Let me know if you have more specific questions about this issue, or you can ask a new question about other SAQ items if you need.  I just went through the questionnaire in the past two weeks for our compliance.
LVL 21

Author Comment

by:Julian Matz
ID: 36982442
Okay, that would make more sense. DaveBaldwin, the SAQ that I'm filling out is an online form in Flash. It was the one I was presented with by Trustwave's TrustKeeper service, I'm not sure what version it is. My merchant bank did send me out a paper one, but it's the SAQ-B form, which is obviously no good to me.

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WooCommerce is becoming the most powerful e-commerce plugin for Wordpress. And why not. The platform comprises of numerous core plugins that may come in handy, powerful options to make your website development task much easier.
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question