PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is a copy of content from the PCI Security Standards Council FAQ database, preserved for tracking changes over time.
View Original →
FAQ #1085 Published

Can unencrypted PANs be sent over end-user messaging technologies like instant messaging or chat?

PCI DSS requirement 4.2 prohibits the sending of unprotected primary account numbers (PANs) via end-user messaging technologies, including e-mail, instant messaging and chat, whether sent internally or over public networks. Instant messaging and chat are considered end-user messaging technologies and thus required to meet PCI DSS requirement 4.2. Per PCI DSS requirement 4.1, strong cryptography and security protocols must be used when cardholder data is sent over open, public networks.

View original on PCI SSC website View all versions Back to recent changes

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.