PCI Requirement 4.2 – Never Send Unprotected PAN by End-User Technologies

by Randy Bartels / August 23rd, 2017

If there are situations within your organization when you need to send or receive emails that contain sensitive cardholder data information like Primary Account Numbers (PAN), that is acceptable as long as you’re in compliance with PCI Requirement 4.2. It states, “Never send unprotected PANs by end-user messaging technologies.” This includes through email, instant messaging, chat systems, SMS, etc.

The purpose of PCI Requirement 4.2 is to protect sensitive information from attackers, hoping to intercept this data during delivery across internal and public networks. There’s nothing in the PCI DSS that prohibits you from sending PAN through email or messaging, but the PCI DSS does state that the information must be protected.

Even if the cardholder data is being sent somewhere internal, it is still required that the sensitive information be securely transmitted. Even if you receive an unencrypted email containing cardholder data, you cannot re-transmit that information without protecting it. It’s best to have a policy that states you will not send cardholder data over end-user messaging technologies. But, if you need to send PAN over end-user technologies as part of your business model, then the policy needs to state how the information is protected. The PCI DSS also states, “If an entity requests PAN via end-user messaging technologies, the entity should provide a tool or method to protect these PANs using strong cryptography or render PANs unreadable before transmission.”

Your assessor should be looking in all places where you are or could transmit cardholder data, like PANs, to observe the sending and receiving process. The assessor should also, “Examine a sample of outbound transmissions as they occur to verify that PAN is rendered unreadable or secured with strong cryptography whenever it is sent via end-user messaging technologies.” As always, the assessor needs to review policies and procedures to ensure that a policy regarding end-user technologies exists and that the policy is implemented.

There might be situations within your organization when you need to send or receive emails that contain cardholder data information. There’s nothing in the PCI DSS that really prohibits you from doing that, but there is a prohibition for sending that information unprotected. Even if you’re sending cardholder data internally into your own environment, it’s still required that any time you use an end-user messaging protocol, that information be transmitted securely. As part of that, your assessor, once again, should be looking for all places and all mediums where you’re transmitting this cardholder information. If there’s a call center, we often see organizations receiving emails. There’s nothing that you can do about receiving an unencrypted email. However, if you’re going to be re-transmitting that email, it would be required that you transmit it securely or that you encrypt that data prior to transmission.

Ideally, it’s best just to have a general policy that says you will not transmit cardholder information over end-user messaging protocols or solutions. However, if you do need to do that as part of your business model, it’s acceptable to do that. You just need to make sure you’re using strong encryption when it’s transmitted.