FAQ #1085 Diff
Can unencrypted PANs be sent over end-user messaging technologies like instant messaging or chat?
Earlier Version
Later Version
Removed
Added
PCI DSS Requirement 4.2 prohibits the sending of unprotected primary account numbers (PANs) via end-user messaging technologies, whether sent internally or over public networks. E-mail, instant messaging, SMS, and chat are all considered end-user messaging technologies and thus required to meet PCI DSS Requirement 4.2. Per PCI DSS requirement 4.2 prohibits the sending of unprotected primary account numbers (PANs)4.1, strong cryptography and security protocols must be used when cardholder data is sent over open, public networks.
For guidance on what to do if PAN is inadvertently received via an end-user messagingtechnologies, including e-mail, instant messaging and chat, whether sent internally or over public networks. Instant messaging and chat are considered end-user messaging technologies and thus requiredchannel, refer to meet PCI DSS requirement 4.2. Per PCI DSS requirement 4.1, strong cryptography and security protocols must be used whenFAQ #1157 -What should a merchant do if cardholder data is sent over open, public networks.accidentally received via an unintended channel?
For guidance on what to do if PAN is inadvertently received via an end-user messaging
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.