Frequently Asked Question

PCI DSS does not prevent the use of end-user technologies (such as email, SMS, chat, etc.) to request or receive cardholder data. However, if an end-user messaging technology is used to receive or send PAN, then that entity’s channel must be protected according to all applicable PCI DSS requirements, including but not limited to Requirements 4.2.1 and 4.2.2. Additionally, the entity's systems related to end-user technologies (for example, e-mail servers) would be in-scope for PCI DSS. 
 
Also refer to the following FAQs:  
FAQ 1085: Can unencrypted PANs be sent over e-mail, instant messaging, SMS, or chat? 
FAQ1157:  What should a merchant do if cardholder data is accidentally received via an unintended channel?