PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is a copy of content from the PCI Security Standards Council FAQ database, preserved for tracking changes over time.
View Original →
FAQ #1310 Published

Are merchants allowed to request that cardholder data be provided over end-user messaging technologies?

PCI DSS does not prevent the use of end-user technologies (such as email, SMS, chat, etc.) to request or receive cardholder data.  However, if an end-user messaging technology is used to receive or send PAN, then that channel must be protected according to all applicable PCI DSS Requirements, including but not limited to Requirements 4.1 and 4.2.  Additionally the entity’s systems related to end-user technologies (e.g. e-mail servers) would be in-scope for PCI DSS.

For guidance on what to do if PAN is inadvertently received via an end-user messaging channel, refer to FAQ #1157 ? What should a merchant do if cardholder data is accidentally received via an unintended channel?

View original on PCI SSC website View all versions Back to recent changes

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.