Frequently Asked Question

Are merchants allowed to request that cardholder data be provided over end-user messaging technologies?

PCI DSS does not prevent the use of end-user technologies (such as email, SMS, chat, etc.) to request or receive cardholder data.  However, if an end-user messaging technology is used to receive or send PAN, then that channel must be protected according to all applicable PCI DSS Requirements, including but not limited to Requirements 4.1 and 4.2.  Additionally the entity’s systems related to end-user technologies (e.g. e-mail servers) would be in-scope for PCI DSS.

For guidance on what to do if PAN is inadvertently received via an end-user messaging channel, refer to FAQ #1157 – What should a merchant do if cardholder data is accidentally received via an unintended channel?
November 2014
Article Number: 1310