Email & PCI Compliance: How to Avoid Costly Violations

Email & PCI Compliance: How to Avoid Costly Violations

If your business sends or receives cardholder data over email, your email solution must be PCI compliant. If your email solution features robust encryption capabilities, you are well on your way to demonstrating PCI compliance. The problem, unfortunately, is that most organizations don’t encrypt their emails or file attachments, so any credit card information shared or stored via email is non-compliant with the Payment Card Industry Data Security Standard (PCI DSS). This invites unnecessary risk that can potentially lead to exposing customers’ credit card data, i.e., a data breach followed by a notification of a PCI compliance violation. Unfortunately, PCI compliance violations can be costly.

In this post, we’ll take a close look at secure email through the lens of PCI compliance and provide recommendations on how to stay on the right side of PCI compliance.

PCI Compliance Overview

PCI is a compliance framework for payment processors, retailers, merchants or any organization accepting credit or debit cards for payment. There is a total of 12 PCI requirements in the PCI framework that businesses must meet:

  • Utilize firewalls to protect cardholder data
  • Use unique configurations and passwords for security systems
  • Protect cardholder data
  • Encrypt data transmissions over public networks
  • Use updated anti-malware software
  • Develop and maintain secure systems and applications
  • Restrict access to private data
  • Assign a unique ID to each user accessing your systems
  • Restrict physical access to cardholder data
  • Track and monitor user access to network resources
  • Perform regular testing on security systems
  • Maintain a policy for information security and personnel

These PCI requirements apply to any and all systems, departments and technologies through which personal financial information passes. This includes any system that has credit card numbers, PINs, customer names and addresses, or magnetic stripe/EMV chip data.

Why PCI Compliance Matters

The need for PCI compliance stems from recurring reports of costly data breaches in which customer cardholder data has been exposed. Hackers frequently monetize this data on the Dark Web where other cybercriminals purchase and use the stolen data to commit fraud. Credit card theft and fraud costs credit card processors millions of dollars and it can take consumers months or even years to restore their credit history.

As a result, credit card processors like Visa, Mastercard and American Express now require any business accepting credit card payments to demonstrate PCI compliance.

Maintaining PCI compliance is important for a few reasons:

  • Avoidance of costly penalties stemming from PCI compliance violations; fines assessed by credit card processors may reach up to $100,000 per month.
  • Mitigation of chargebacks and cases of fraud due to lax security.
  • Upkeep of your merchant account (necessary to process payments) through upholding compliance and keeping a low chargeback or fraud ratio.
  • Protecting the information of your customers, maintaining your brand and generally serving your market ethically and responsibly.

PCI Compliance Levels

There are four levels of PCI compliance determined by the number of annual credit card transactions a company processes.

  • Level 1 – over 6 million transactions per year
  • Level 2 – 1 million to 6 million transactions per year
  • Level 3 – 20,000 to 1 million transactions per year
  • Level 4 – less than 20,000 transactions per year

Businesses that process, store, or transmit credit card data must comply with the requirements specified at each level. The higher the level of compliance, the more stringent the requirements. For example, a Level 1 organization must undergo an annual on-site audit by a qualified security assessor, while a Level 4 organization may be able to self-assess.

Top Five PCI Compliance Breach Types

Organizations that violate PCI DSS compliance typically do so for the following reasons:

  1. Failure to Implement Required Security Updates: This includes not installing security patches and updates on systems in accordance with PCI standards, which can lead to vulnerabilities that attackers can exploit.
  2. Weak Passwords: Using weak passwords or reusing passwords across multiple accounts can create a vulnerability in your system if an attacker were to gain access to one of the accounts.
  3. Unsecured Wi-Fi Networks: Wireless networks are not as secure as hardwired systems and can be easily breached if not properly secured.
  4. Insufficient Access Controls: Failing to implement and/or maintain controls to limit access to confidential data can lead to data theft or other malicious activities.
  5. Not Monitoring for Security Events: Failing to set up or maintain a system for monitoring and responding to security events can lead to the detection and exploitation of security vulnerabilities. This can include not logging certain activities, such as system logins and changes, which can be useful for detecting compromised accounts.

Repercussions of Non-compliance With PCI

Failure to comply with PCI can present significant difficulties to organizations. These difficulties can include hefty fines, reputational damage, and litigation. Additionally, organizations may have to invest more resources into systems and security personnel to ensure, and prove, their systems are compliant with PCI standards, which can create significant financial costs in the form of training, hardware, and software upgrades.

Noncompliance can also create significant technical difficulties, as organizations may be unable to use certain legacy hardware or software that isn’t compliant with PCI standards. As a result, organizations must constantly monitor how they share data regulated by PCI as well as the data security practices and hardware/software solutions in place to protect this data, all in an effort to ensure they remain PCI compliant.

The Problem with Email and PCI Compliance

Per PCI requirements, credit card information should not be captured, transmitted or stored via unprotected servers and electronic mail. This is because these systems and protocols traditionally store and transmit information as clear text, i.e., unencrypted data that can be read by anyone, including unauthorized employees, hackers, cybercriminals, and identity thieves.

Furthermore, even with encrypted data, you have no guarantees that the person you share credit card data with is encrypting the data or keeping those messages private. Sharing any sensitive data via email therefore creates significant risk.

How to Use Email in Compliance with PCI

Any merchant that accepts credit cards for payment should strive to create a secure cardholder data environment (CDE) to ensure customer data is protected from compromise. Businesses accomplish this goal with both compliant internal practices and careful partnerships with technology providers. These practices include:

  • Use secure email This includes sending secure links that bring users to compliant servers that leverage encryption and user access controls.
  • Adopt technologies that support enterprise functionality. Use a secure file transfer platform for bulk file exchanges like monthly invoicing and a secure file sharing or secure email solution for correspondence with individual customers. The embedded or integrated information governance and data management capabilities in these applications can support PCI compliance.
  • Partner with technology providers prioritize data protection. If you work with a cloud or SaaS vendor, ensure they include or support key security features like PCI-compliant SFTP (with the latest encryption), SIEM services, multi-factor authentication, firewall and anti-malware software.
  • Train your employees. This includes periodic security awareness training, and documentation of that training, on how to use new and existing technologies and platforms in a secure manner that will comply with PCI requirements.
  • Leverage technologies with immutable audit trails. Audit logs are critical for PCI compliance, so use platforms that provide unbroken chains of evidence for all security and data access events.
  • Do not mail credit card information. Self-explanatory but it bears repeating that you should never include customer financial or payment information in a letter, including an invoice with extensive customer information.

Protect Credit Card Data, Avoid Costly Fines, and Achieve PCI Compliance With Kiteworks

The Payment Card industry has mandated the use of stringent controls to transmit credit card data via email. It’s critical therefore that your organization adheres to these requirements in compliance with PCI so you can continue accepting credit card payments (read: stay in business).

The Kiteworks Private Content Network, a FIPS 140-2 Level validated secure file sharing and file transfer platform, consolidates email, file sharing, web forms, SFTP, managed file transfer, and next-generation digital rights management solution so organizations control, protect, and track every file as it enters and exits the organization.

The Kiteworks platform is used by organizations to help them meet a variety of compliance standards and mandates, including PCI-DSS.

FIPS 140-2 certified encryption enhances the security of the Kiteworks platform, making it suitable for organizations that handle sensitive data like payment card information. In addition, end user and administrator activity is logged and is accessible, crucial for PCI-DSS compliance, which requires tracking and monitoring of all access to network resources and cardholder data.

Kiteworks also offers different levels of access to all folders based on the permissions designated by the owner of the folder. This feature helps in implementing strong access control measures, a key requirement of PCI-DSS.

Kiteworks deployment options include on-premises, hosted, private, hybrid, and FedRAMP virtual private cloud. With Kiteworks: control access to sensitive content; protect it when it’s shared externally using automated end-to-end encryption, multi-factor authentication, and security infrastructure integrations; see, track, and report all file activity, namely who sends what to whom, when, and how. Finally demonstrate compliance with regulations and standards like GDPR, HIPAA, CMMC, Cyber Essentials Plus, IRAP, and many more.

To learn more about Kiteworks, schedule a custom demo today.

Additional Resources

*** This is a Security Bloggers Network syndicated blog from Cyber Security on Security Boulevard Archives - Kiteworks | Your Private Content Network authored by Vince Lau. Read the original post at: