Make sure your messages that contain card holder data don’t compromise security
It’s easy for fraudsters to read and alter email. That’s why it’s vital you ban sending cardholder and transaction data by email.
You should also:
- Ban personal email – make sure the system is only used for business purposes.
- Review and delete messages regularly – but remember that deleted emails may still be held in message logs or archives.
- Archive - back up old messages.
Email policy
You should consider implementing an email policy. Some of the things you should include are:
- Monitoring emails – make it clear that emails may be monitored, and that this is a condition of use. You must inform all staff that their emails may be monitored.
- Set responsibilities – make sure email users understand they are personally responsible for the security of information in their messages.
- Ban .exe attachments – and other executable code in emails. However, if you can’t avoid this, use strong virus detection and prevention technology.
- Control user access - if alternate users work with the same computer, make sure that the alternate user cannot exceed their authority.
- Set up a reporting system - require employees to report any email abuse to the appropriate department or person.
- Keep information secure - preserve the confidentiality of any sensitive information that is accidentally revealed.
- Keep records – including a log of all emails that have been deleted.
