PCI Compliance (Transmitted Data Protection)
Posted on 2011-10-11
Hi! I'm working myself through the SAQ-D questionnaire. One of the questions in the "Transmitted Data Protection" section is as follows:
Are policies, procedures, and practices in place to preclude the sending of unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat)?
My question to that is, how do you prevent a customer from e-mailing a credit card number or texting it via Skype, for example?
You can warn them against it, you can have a message on your website saying that it's prohibited or whatever, but how can you actually prevent it? With email, I suppose you can create a filter on the server side that deletes credit card numbers, but it with e-mail, there are usually multiple servers involved in a communication transactions, some of which you wouldn't have any control over. Also, creating a filter seems like a fairly complex thing to do if you need to consider all the different card types and numbers, formats and sequences?
Just wondering has anyone any idea about this.