An often-overlooked challenge when it comes to PCI compliance are the occasions where customers ‘helpfully’ email their credit card details in an attempt to expedite an order or refund, or when they have issues ordering online. These actions are in fact the very opposite of helpful and can cause issues for organizations who need to protect payment card data in compliance with PCI DSS (Payment Card Industry Data Security Standard) requirements – which state that credit card information must not be captured, transmitted, or stored.
The PCI Compliance Issue
Historically, IT and compliance teams have relied on employees to manually delete these emails, report the issue for further tracking and respond back to the customer in a separate message, letting them know that it is not company policy to accept payment card information through this communication channel. However, this manual approach to credit card data security exposes both the customer and organization to undue risk and error.
Email is not the only communication channel creating risk. A similar violation can occur outside of email when a customer submits their payment card information through an organization’s non-compliant “contact us” web form, social media account or instant messaging/chat platform. These tend to be front-end applications which feed into other systems that further store and multiply the data throughout web servers, marketing automation and CRM tools. In any case, payment card data is distributed through your environment and needs to be contained, secured, and managed within PCI DSS guidelines.
One way in which organizations can address this challenge is by using PCI-compliant email and web gateways with automated scanning and data redaction technologies to remove payment card data before it reaches its intended recipient. As a result, this helps ensure PCI compliance, while also avoiding having to manually clean-up a trail of PCI data left behind.
So What Are the Requirements of PCI DSS 4.0?
While PCI DSS 4.0 started rolling out in March 31st, 2024, the official transition period is set to end on March 31st, 2025. This was intended to give organizations time to devise and implement changes to meet the updated requirements. As a reminder, here is a summary of the update:
- Ensuring the standard meets the security needs of the payments industry
- The promotion of security as a continuous process
- Enhancing validation methods and procedures
For more about PCI DSS 4.0 compliance, watch the video here.
Adaptive Redaction: An Automated Solution for PCI Compliance
Clearswift's on-premise Secure Email Gateway (SEG) leverages Adaptive Redaction technology to automate the scanning and redacting of payment card information (or other sensitive and inappropriate data) prior to it entering the organization. Thanks to Optical Character Recognition (OCR) scanning, this even includes payment card information sent as scanned images or photographs.
Fortra's Deep Content Inspection Engine completely disassembles inbound messages in real time, leading to the detection and removal of only the information that breaks PCI DSS guidelines, while allowing the rest of the message to go ahead unhindered. This ensures that there is continuous approach to collaboration and communication, while removing the risk of inappropriately shared information.
Want more information on how the SEG can help secure your organization's credit card information and more?
BOOK MY DEMO
PCI-Compliant Email Protection from Day One
Setting up PCI policy rules within the Secure Email Gateway is easy thanks to the pre-defined PCI and PII (Personally Identifiable Information) tokens designed to simplify policy definition and deployment. The Secure Email Gateway appliance also uses Lexical Expression Qualifiers (LEQs) to validate sensitive information. This minimizes the number of false positives, as it understands when a number might look like payment information but isn’t.
How Fortra's Agari DMARC Protection Can Deliver Even More Compliance
While PCI DSS 4.0 warnings started getting issued at the end of 2023, you need to know that organizations must be compliant by March 31st, 2025! So besides leveraging the Adaptive Redaction function provided with Clearswift's SEG, you should also implement a DMARC policy. This aligns with PCI DSS' 4.0 directive that requires organizations to protect PCI data, such as PII that they distribute via stronger authentication requirements. Specifically, Section 5.4.1 of the guidelines states that anti-phishing mechanisms, such as DMARC, must be in place to defend against attacks.
But don't let this send you reeling, because you can rest reassured that Fortra's Agari DMARC Protection can safeguard your brand from spoofing when you set up a p=reject policy.
Daunted by getting started with DMARC? Or book a demo today and Fortra experts can prepare your email environment to keep your organization PCI-compliant!