Receiving card data via email is strictly prohibited under PCI DSS and creates immediate compliance violations. Email systems are not secure, and if your email gets compromised, all card information becomes exposed to criminals. This puts both you and your customers at serious risk.
Essential steps to reduce your risk:
1. Stop processing email-based card payments immediately
- Never process payments from emails containing card numbers, CVV codes, or expiration dates
- Delete any emails with card information immediately and permanently
- Empty your email trash/deleted items to ensure complete removal
- Check all email folders, including sent items and drafts
2. Implement secure payment alternatives
- Direct customers to your secure website payment portal
- Send customers secure payment links through your payment processor
- Provide phone payment options with proper PCI-compliant systems
- Set up in-person payment methods when possible
3. Educate your customers on secure payment methods
- Create clear communication about how customers should submit payments
- Explain why you cannot accept card information via email
- Provide easy-to-follow instructions for secure payment options
- Include security messaging in your email signatures and customer communications
4. Train staff and update procedures
- Train all employees that email payment processing is absolutely prohibited
- Update customer service procedures to redirect email payment requests
- Establish protocols for responding to customers who send card data via email
- Document these policies in your security procedures
5. Red flags that increase your risk
- Any emails in your system containing full or partial card numbers
- Staff processing payments from email without secure systems
- Customer service representatives handling card data through email
- Automated systems that capture or store emailed payment information
- Email attachments containing payment forms with card data
- Forwarded emails with customer payment information
The bottom line
Email is never secure for card data transmission and creates immediate PCI violations. Every email containing card information puts your business and customers at risk.
Take immediate action to delete existing emails with card data and redirect customers to secure payment methods. Contact your payment processor today to set up secure payment links and proper customer communication procedures.