Frequently Asked Question
Can unencrypted PANs be sent over e-mail, instant messaging, SMS, or chat?
No. PCI DSS Requirement 4 prohibits the sending of unprotected primary account numbers (PANs) via end-user messaging technologies, whether sent internally or over public networks. E-mail, instant messaging, SMS, and chat are all considered end-user messaging technologies and thus required to meet PCI DSS Requirement 4. Per PCI DSS Requirement 4, strong cryptography and security protocols must be used when cardholder data is sent over open, public networks.
For guidance on what to do if PAN is inadvertently received via an end-user messaging channel, refer to FAQ #1157 - What should a merchant do if cardholder data is accidentally received via an unintended channel?
Note: The specific sub requirement number(s) and terminology may vary depending on the version of the standard being used.
Featured FAQ Articles
Most Recently Updated
Is the expectation that any PFI investigation initiated must result in a PFI Final Report?
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?