Unsolicited credit card in email?
As a QSA, here is how I would expect you to handle this situation:
- Have a policy, that is strictly enforced, stating that no card data is to be sent or received via email.
- Have a procedure in place to handle incidents of unsolicited emails containing card data. This should include a process for securely deleting the offending email, and notifying the customer of how to properly transmit the payment information.
- Implement a method to validate that the policy and procedures are
being followed. This can include:
- Periodic scanning of your email server for credit card data.
- Implement a DLP solution that will monitor your email server for offending data and redact it or not allow it to be sent or stored.
point #3 above is important when considering your PCI assessment. Your QSA will validate the scope of your CDE at the start of the assessment. Part of the scoping exercise may include cardhold data discovery scans, and an email server is a common offender when it comes to storing card data. If the QSA discovers card data on the server then it will be considered part of the CDE. This might cause some problems if you weren't expecting it to be included in the assessment, so the system might not be up to PCI standards. This also makes it difficult to prove that you are following your own policy. A policy alone isn't enough to protect you from PCI requirements. It must be enforced as well.
From what I understand of the applicability of PCI-DSS 3(PDF), if you actively reject (i.e. don't accept credit card data via e-mail), your e-mail system isn't considered part of the CDE
, or Cardholder Data Environment
. It sounds like you have to be very strict about this - 100% compliance, or your e-mail system is now part of your CDE and has to maintain PCI-DSS compliance.
I'd recommend that you institute a policy to discard e-mails that have any credit card data in them, and create an new e-mail to the customer like you're doing. The difference here is that you absolutely can't accept credit card data through e-mail and use that data for verification or processing of payments. Have policies in place for your customer service agents that they can not solicit card data via e-mail or ask for it to be returned in an e-mail, including as an attachment. If possible, I'd put a filter on your incoming e-mail that looks for CC number patterns (starts with 4, 5, or 6; 16 digits, may be split in 3 or 4 groups...), and removes the CC info.
Keep in mind that I'm not a PCI professional, but have been subject to it for several years. It's always better to play it safe considering the liability, although if you don't allow use of e-mailed credit card information your liability would go down significantly.