Link to home
Start Free TrialLog in
Avatar of Julian Matz
Julian MatzFlag for Ireland

asked on

PCI Compliance (Transmitted Data Protection)

Hi! I'm working myself through the SAQ-D questionnaire. One of the questions in the "Transmitted Data Protection" section is as follows:

Are policies, procedures, and practices in place to preclude the sending of unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat)?

My question to that is, how do you prevent a customer from e-mailing a credit card number or texting it via Skype, for example?

You can warn them against it, you can have a message on your website saying that it's prohibited or whatever, but how can you actually prevent it? With email, I suppose you can create a filter on the server side that deletes credit card numbers, but it with e-mail, there are usually multiple servers involved in a communication transactions, some of which you wouldn't have any control over. Also, creating a filter seems like a fairly complex thing to do if you need to consider all the different card types and numbers, formats and sequences?

Just wondering has anyone any idea about this.

Thanks!
ASKER CERTIFIED SOLUTION
Avatar of Dave Baldwin
Dave Baldwin
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Julian Matz

ASKER

Okay, that would make more sense. DaveBaldwin, the SAQ that I'm filling out is an online form in Flash. It was the one I was presented with by Trustwave's TrustKeeper service, I'm not sure what version it is. My merchant bank did send me out a paper one, but it's the SAQ-B form, which is obviously no good to me.