It’s common knowledge that sensitive information, like payment card data, shouldn’t be sent through email in an unencrypted state. There is simply too much information security risk, and too many opportunities for cybercriminals to intercept that data.
For that reason, the Payment Card Industry Data Security Standard (PCI DSS) includes specific requirements for the transmission of cardholder information across open networks (including email and other messaging technologies).
Fortunately, encryption technologies enable greater protection of sensitive data, even with email communication – but encrypted emails still put your business within scope of PCI DSS Compliance while making it more difficult and costly to engage in certain email communications with users.
Today, thankfully, there is an innovative, more secure alternative to email encryption that can protect your credit card data while keeping you out of PCI scope.
Email Encryption: One Solution to Unprotected PCI Data
Sending or receiving PCI data, like Primary Account Numbers (PANs) and credit card information, via email has always been severely ill-advised.
In fact, the PCI Security Standards Council states – in PCI DSS Requirement 4.1 – that unencrypted credit card information should not be transmitted over open networks (e.g., the internet, wireless networks, GSM or GPRS).
Similarly, Requirement 4.2 says to “never send unencrypted PANs by end-user messaging technologies.”
Why is that so?
Email messages are sent and stored in clear text, leaving a trail of copies in sent folders, draft folders, inboxes, browser caches, and email trash folders. Delivery of unprotected email text across public networks opens up several opportunities for cybercriminals to intercept cardholder data – so it’s critical to prevent their ability to view any of it.
When it comes to payment card data, like cardholder names, expiration dates, or credit card numbers, every location through which the data passes becomes a point of risk for sensitive data breaches.
That’s why PCI Security Requirement 4 instructs businesses to “encrypt the transmission of cardholder data across open, public networks.” Businesses can send PCI data through email, it simply needs to be encrypted.
With the green light from the PCI Security Standards Council (PCI SSC), many organizations have opted to implement encryption for emailing PCI data. This enables companies to transmit payment card information via email and still remain PCI compliant.
If your organization’s business model includes the need, for example, to send PANs to customers, then your data security policies must state how this information is protected to achieve or maintain your compliance.
Is Email Encryption Really Safe For Credit Card Information?
PCI security focuses on protecting the credit card data that touches your company’s systems and networks. The sum of all those places where PCI data can be found is called your Cardholder Data Environment (CDE), which falls under the scope of PCI Compliance.
Your entire CDE needs to be protected in accordance with PCI compliance. By using encrypted email transmissions that include PCI data, your business effectively extends its CDE to those locations.
For organizations seeking to reduce their PCI scope, adding encrypted emails into the mix certainly isn’t helpful.
Moreover, while encryption keeps the mail transmission system out of PCI scope, it means that the receiver of the email needs to use complex technology to view the data as well as bring themselves into PCI scope - which can negatively impact business operations and stop users from seeing certain content at all.
Fortunately, an innovative technology – called ‘data aliasing’ – is now available for businesses to secure their email-based information, all while reducing their PCI scope and avoiding any disruption in their workflows.
Truly PCI Compliant Emails with Data Aliasing
While encryption obfuscates sensitive data from users who don’t have the proper access, the technology keeps parts of your company’s systems within PCI DSS scope.
All folders and destinations that come into contact with an email containing credit card data are extensions of your CDE, which means they need to be protected in accordance with PCI compliance.
But what if there was a way to still transmit credit card information and other sensitive data through email exchanges without putting those communications into PCI scope?
There is. The new Very Good Security (VGS) Mail Proxy solution enables you to de-scope your email communications from PCI DSS requirements by leveraging a technique known as data aliasing.
VGS’ new Mail Proxy protocol, allows you to send and receive secure emails from any domain without the data they contain ever coming into contact with your business’ systems.
The product rewrites sensitive information, like payment card data, in real-time as the email messages are received and replaces it with a surrogate data alias that makes it indecipherable to any outside eyes – even if the email text falls into the wrong hands.
You can think of it as a similar process to tokenization that's more flexible, secure, and easier to implement.
The email-based data de-scopes the recipients from ever being exposed to PCI data, so they don't have to become an encryption professional just to participate in these email exchanges.
Aliasing takes place before and after the communication is sent, so none of the sensitive data ever touches your organization’s networks. This empowers you to limit the size and extent of your CDE while keeping your email exchanges completely outside of PCI scope, for both large and small businesses.
This innovative solution leverages VGS’ existing platform to rapidly deploy secure email solutions that can be integrated at the network level with less than a day’s worth of effort by following our easy to read integration guide.
Want to enable this Mail Proxy solution? Just talk to a VGS integration engineer to enable it for your organization.