An often-overlooked challenge when it comes to PCI compliance are the occasions where customers ‘helpfully’ email their credit card details in an attempt to expedite an order or refund, or when they have issues ordering online. These actions are in fact the very opposite of helpful and can cause issues for organizations who need to protect payment card data in compliance with PCI DSS (Payment Card Industry Data Security Standard) requirements – which state that credit card information must not be captured, transmitted, or stored.
The PCI Compliance Issue
Historically, IT and compliance teams have relied on employees to manually delete these emails, report the issue for further tracking and respond back to the customer in a separate message, letting them know that it is not company policy to accept payment card information through this communication channel. However, this manual approach to credit card data security exposes both the customer and organization to undue risk and error.
Email is not the only communication channel creating risk. A similar violation can occur outside of email when a customer submits their payment card information through an organization’s non-compliant “contact us” web form, social media account or instant messaging/chat platform. These tend to be front-end applications which feed into other systems that further store and multiply the data throughout web servers, marketing automation and CRM tools. In any case, payment card data is distributed through your environment and needs to be contained, secured, and managed within PCI DSS guidelines.
To address this challenge, organizations use PCI-compliant email and web gateways with automated scanning and data redaction technologies to remove payment card data before it reaches its intended recipient. As a result, this helps ensure PCI compliance, while also avoiding having to manually clean-up a trail of PCI data left behind.
Adaptive Redaction: An Automated Solution for PCI Compliance
Clearswift's on-premise Secure Email Gateway leverages Adaptive Redaction technology to automate the scanning and redacting of payment card information (or other sensitive and inappropriate data) prior to it entering the organization. Thanks to Optical Character Recognition (OCR) scanning, this even includes payment card information sent as scanned images or photographs.
In real time, a Deep Content Inspection Engine completely disassembles inbound messages, detecting and removing only the information that breaks PCI DSS guidelines, while allowing the rest of the message to go ahead unhindered. This ensures that there is continuous approach to collaboration and communication, while removing the risk of inappropriately shared information.
PCI-Compliant Email Protection from Day One
Setting up PCI policy rules within the Secure Email Gateway is easy thanks to the pre-defined PCI and PII tokens designed to simplify policy definition and deployment. The Secure Email Gateway appliance also uses Lexical Expression Qualifiers (LEQs) to validate sensitive information. This minimizes the number of false positives, as it understands when a number might look like payment information but isn’t.
P.S. PCI DSS 4.0 Is Going into Effect March 2024, But Don't Panic Yet!
PCI DSS 4.0 compliance is about to roll out, but don't panic yet. . .While it goes into effect March 31st, 2024, the transition period is set to end on March 31, 2025. This is intended to give organizations time to devise and implement changes to meet the updated requirements. As a reminder, here is a summary of the update requirements:
- Ensuring the standard meets the security needs of the payments industry
- The promotion of security as a continuous process
- Enhancing validation methods and procedures
For more about PCI DSS 4.0 compliance, watch the video here.
Looking to transform email from a high-risk communication channel to one that’s PCI-compliant?
Request a demo of the Clearswift on-premise Secure Email Gateway and get started.