PCI Data Security Standard, often referred to as PCI DDS, is a combination of rules and regulations that help prevent unwarranted access to sensitive customer payment data. A lot of businesses think that simply being PCI compliant is all the security they need to protect their customer’s credit card information. In a perfect world, this might be true but unfortunately, other areas of protection such as email encryption need to be looked at.
Understanding PCI Compliance
First, it is important to understand what being PCI compliant entails for your security. It starts with basic network security essentials, like a network firewall that restricts connections to your network from unauthorized users. You’ll also need some sort of antivirus or anti-malware program in place, either worked into your firewall, on each computer, or both.
PCI compliance also requires that you have limited access to your customer credit card data, meaning only certain authorized employees know where this information is stored and how to access it. Your network will also need to be monitored and tested for any possible security breaches on a regular basis.
These requirements can vary slightly between businesses, but for the most part, all businesses will be required to have some sort of network security. Being PCI compliant shouldn’t be looked at as a dreaded requirement, but rather a reassurance that your company is protected against hackers that could potentially destroy your business by stealing sensitive information.
There are several different self-assessment questionnaires that allow you to verify if your company is PCI compliant. Since there are several of these, you’d need to fill out the form that is relevant to your business. Usually, there is also an Approved Scanning Vendor (ASV) who will also check your network on a regular basis to ensure you are remaining compliant with the PCI DDS standards. Companies that exceed a certain number of credit card transactions may also be required to have a Qualified Security Assessor (QSA) check your network as well.
The Missing Ingredient: Email Encryption
With all of that said, it’s time to look closer at email encryption. Although this isn’t usually a requirement for PCI compliance or a part of the CDE in general, you should definitely still implement email encryption. Since emails often contain invoices and receipts that can potentially expose sensitive data, you’ll want to make sure this data is encrypted so it doesn’t fall into the wrong hands.
Beyond these documents that might contain bits and pieces of sensitive information, you also have the risk of customers submitting credit card data via emails. Obviously this isn’t the norm for businesses, and most companies strongly advise against sending this information over the email system, you can’t stop an uninformed customer from doing so. Therefore, the only way to protect this information is to ensure your business emails are fully encrypted.