PCI Compliance (Transmitted Data Protection)

Posted on 2011-10-11
Last Modified: 2012-05-12
Hi! I'm working myself through the SAQ-D questionnaire. One of the questions in the "Transmitted Data Protection" section is as follows:

Are policies, procedures, and practices in place to preclude the sending of unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat)?

My question to that is, how do you prevent a customer from e-mailing a credit card number or texting it via Skype, for example?

You can warn them against it, you can have a message on your website saying that it's prohibited or whatever, but how can you actually prevent it? With email, I suppose you can create a filter on the server side that deletes credit card numbers, but it with e-mail, there are usually multiple servers involved in a communication transactions, some of which you wouldn't have any control over. Also, creating a filter seems like a fairly complex thing to do if you need to consider all the different card types and numbers, formats and sequences?

Just wondering has anyone any idea about this.

Question by:Julian Matz
    LVL 82

    Accepted Solution

    I just downloaded a copy of "pci_saq_d_v2.doc" which appears to be the latest version and I can't find that question in there.  ??

    In any case, it's not a matter of preventing the customer from doing that.  You have to make sure that is not part of your system.  Any email that contains sensitive information should be encrypted.
    LVL 12

    Assisted Solution

    My thought is that the PCI standard is targeted at your company's and employee's processes and that your customer service team or any other employee should not be able to see unencrypted PANs or send them based on your policies.

    If you have software developers working on your billing system, they will occasionally have to "fix" accounts or have a reason to de-crypt the entire PAN for a specific customer.  However, their process should be that they don't have the unencrypted PAN unless they absolutely need it, and that they are forbidden from sending it anywhere, even internally.

    If a customer sends you their PAN by email, you should have a policy to use it as the customer asks/requests, but to purge it or cleanse it (put XXXX-XXXX-XXXX-XXXX in the email) from your records including email backups.  Your customer service processes should not ask for PANs over email/SMS/IM though.

    Let me know if you have more specific questions about this issue, or you can ask a new question about other SAQ items if you need.  I just went through the questionnaire in the past two weeks for our compliance.
    LVL 21

    Author Comment

    by:Julian Matz
    Okay, that would make more sense. DaveBaldwin, the SAQ that I'm filling out is an online form in Flash. It was the one I was presented with by Trustwave's TrustKeeper service, I'm not sure what version it is. My merchant bank did send me out a paper one, but it's the SAQ-B form, which is obviously no good to me.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    I recently read an article which suggested that 60% of businesses in the U.S. that process credit card details online in order to accept payment for goods or services were not Payment Card Industry security standards (PCI) compliant. This statement …
    SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
    Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now