No matter how big or small your organization is, if it handles credit card data, you should be PCI compliant. The PCI Data Security Standard (DSS) provides guidelines to small merchants, large vendors, financial institutions, device manufacturers, and other industry professionals on how to secure cardholder data and prevent security breaches.
The one thing that PCI doesn’t protect against, however, is human error. You can ask your customers and business partners to not send credit card info over email as much as you please, but that won’t stop someone from using email when something in the payment system breaks. When this happens, email encryption can mean the difference between a minor irritation and a major security disaster.
PCI DSS is a set of requirements designed to prevent credit card data breaches, and detect and react to them if they do occur. It protects vendor reputations, minimizes litigation costs, and helps companies catch security vulnerabilities they might otherwise miss. All businesses that use customer credit card data need to be PCI compliant — even e-commerce merchants that outsource billing, and never actually see the credit card data.
To become PCI compliant, all companies must take the correct self-assessment questionnaire (SAQ), and sign a form that they’re using the security best practices defined in that questionnaire. In most cases, they’ll also need to have their network checked for vulnerabilities quarterly by an Approved Scanning Vendor (ASV). Companies are assigned levels based on how many card payments they process annually. Level 1 companies — companies that process more than 6 million credit card transactions each year, or have had a data breach — are also required to have a Qualified Security Assessor (QSA) do an annual assessment.
To be PCI compliant, a business must secure its network by installing a firewall. Additionally, they need to encrypt cardholder data sent over the Internet, or any other open network, and protect any stored credit card data. It should also maintain a vulnerability management program by keeping antivirus, anti-malware, and other software secure and up to date. It must also implement strong access control, which keeps credit card data from everyone except the employees who need to see it. Finally, it will have to monitor and test the network regularly, and have an information security policy governing all personnel.
PCI compliance requirements vary based on the way a business uses cardholder information. For example, SAQ A merchants that don’t process or store payments have different requirements than SAQ C merchants that processes and transmit credit card data.
Email is usually not technically part of the cardholder data environment (CDE) — the part of the system that processes credit card. Sending card info over unencrypted email is a big security risk, but you shouldn’t send it over encrypted email either; email makes it harder to control access and meet PCI rules, such as the requirement to never store card data after authorization. Emailing credit card numbers puts your company’s email system within the scope of the CDE, which makes it harder to stay PCI compliant.
So why should PCI compliant businesses use encrypted email? First of all, it protects other information that could expose customers. Unsecured emails with invoices, receipts, and other sensitive data can make it easier for hackers to target the people you do business with. Secure business email with encryption and access control helps keep this sensitive data safe.
Email encryption also provides an extra layer of protection, should someone screw up and email cardholder data. If an employee or business partner does this (and they should know not to), encryption will hide the data from anyone spying on the message. It can’t stop a customer from emailing their credit card info, but it can protect in-house emails about it — reporting the issue, arranging to follow up with the customer, and so on. Email encryption will keep these messages safe from anyone looking for security vulnerabilities to exploit.
PCI compliance is complicated, but email encryption doesn’t have to be. Virtru provides effortless client-side encryption without the hassle of juggling keys. It also lets you control access to sensitive data by setting time limits on emails, preventing messages from being forwarded, and giving your the power to revoke messages, should you accidentally send restricted information. Whether you’re a small business or an enterprise, Virtru email encryption will help you plug the security holes you do see, and minimize the risks from those you don’t.