FAQ #1310 Diff
Are merchants allowed to request that cardholder data be provided over end-user messaging technologies?
Earlier Version
Later Version
Removed
Added
PCI DSS does not prevent the use of end-user technologies (such as email, SMS, chat, etc.) to request or receive cardholder data. However, if an end-user messaging technology is used to receive or send PAN, then that entity’s channel must be protected according to all applicable PCI DSS Requirements,requirements, including but not limited to Requirements 4.14.2.1 and 4.2. Additionally4.2.2. Additionally, the entity’sentity's systems related to end-user technologies (e.g.(for example, e-mail servers) would be in-scope for PCI DSS.
For guidance on what to
Also refer to the following FAQs:
FAQ 1085: Can unencrypted PANs be sent over e-mail, instant messaging, SMS, or chat?
FAQ1157: What should a merchant do ifPANcardholder data is inadvertentlyaccidentally received via an end-user messaging channel, refer to FAQ #1157 ? What should a merchant do if cardholder data is accidentally received via an unintended channel?
For guidance on what to
Also refer to the following FAQs:
FAQ 1085: Can unencrypted PANs be sent over e-mail, instant messaging, SMS, or chat?
FAQ1157: What should a merchant do if
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.