How to Send Credit Card Information Securely by Email (and Why You Shouldn’t!)

Sending credit card information via email is a risky practice, akin to leaving your wallet on a park bench. While convenient, it exposes your sensitive data to numerous potential threats. This article will delve into why sending credit card details through email is inherently insecure, explore alternative secure methods, and, if absolutely necessary, outline steps to mitigate the risks when emailing such information. However, remember the best approach is to *avoid* sending credit card information via email altogether.

Why Sending Credit Card Information via Email is a Bad Idea

Email was never designed for secure data transmission. Several factors contribute to its vulnerability:

  • Lack of End-to-End Encryption: Standard email communication lacks end-to-end encryption. This means that the email is vulnerable to interception at various points between your computer and the recipient’s inbox. Think of it like sending a postcard rather than a sealed letter. Anyone along the route can read it.
  • Email Servers are Vulnerable: Email servers are potential targets for hackers. If a server is compromised, all emails stored on it, including those containing credit card information, could be exposed.
  • Phishing Attacks: Scammers often use phishing techniques to trick individuals into revealing sensitive information via email. By mimicking legitimate businesses, they can gain access to credit card numbers and other personal data.
  • Unsecured Networks: Sending emails over unsecured Wi-Fi networks, such as those in coffee shops or airports, further increases the risk of interception.
  • Human Error: Simple mistakes, such as sending the email to the wrong recipient or accidentally including the credit card information in the body of the email instead of an encrypted attachment, can have serious consequences.
  • Email Storage: Even after the email is read, it remains stored on email servers and devices, creating a persistent security risk.

The Payment Card Industry Data Security Standard (PCI DSS), which outlines security requirements for organizations that handle credit card information, strongly discourages sending cardholder data via email.

Safer Alternatives to Emailing Credit Card Information

Fortunately, several more secure methods exist for transmitting credit card information:

  • Secure Online Payment Gateways: Encourage customers to use secure online payment gateways like Stripe, PayPal, Authorize.net, or Square. These services encrypt credit card information during transmission and storage, significantly reducing the risk of data breaches.
  • Phone Communication: Instead of emailing, ask customers to provide their credit card information over the phone. While not foolproof, this method is generally more secure than email, as the information is transmitted directly to you and not stored on multiple servers. Train employees on proper phone security protocols, such as verifying the caller’s identity and entering the credit card information directly into a secure system.
  • Fax Machines: Although seemingly outdated, fax machines can provide a more secure means of transmitting credit card information than email. Fax transmissions are typically encrypted, making them more difficult to intercept.
  • Secure File Transfer Services: Utilize secure file transfer services, such as SFTP (Secure File Transfer Protocol) or services that offer end-to-end encryption, to transmit sensitive data. These services encrypt the data both in transit and at rest, providing a higher level of security. Examples include Tresorit, Boxcryptor, and SendSafely.
  • Customer Portals: Create a secure customer portal on your website where customers can enter and manage their payment information. This gives you control over the security of the data and allows you to implement robust security measures.
  • Tokenization: Replace sensitive credit card data with non-sensitive data, or tokens. This process, called tokenization, is often used in conjunction with payment gateways and significantly reduces the risk of data breaches. Even if the tokens are compromised, they are useless without the corresponding decryption key.
  • In-Person Transactions: For local businesses, encourage customers to make payments in person using a credit card terminal or point-of-sale (POS) system. These systems are designed to securely process credit card transactions and are typically PCI DSS compliant.

If You Absolutely Must Email Credit Card Information (A Last Resort)

While strongly discouraged, there might be rare situations where emailing credit card information seems unavoidable. In such cases, follow these steps to minimize the risks:

  1. Encryption is Paramount:
    • Use Strong Encryption Software: Employ a robust encryption software program to encrypt the email and any attachments containing credit card information. Options include Gpg4win (for Windows), GPG Suite (for macOS), or OpenSSL (cross-platform).
    • Password Protect Attachments: If you are sending the information as an attachment (which is recommended over including it in the body of the email), password-protect the document. Use a strong, unique password that is difficult to guess.
    • Communicate the Password Separately: *Crucially*, do not send the password in the same email as the encrypted attachment. Use a different communication channel, such as a phone call or SMS message, to convey the password to the recipient. This ensures that even if the email is intercepted, the attacker will not have the password to decrypt the attachment.
  2. Minimize the Information Included: Only include the *absolute necessary* information. For example, if you only need the last four digits of the credit card, do not send the entire number. The less data you send, the lower the risk. Consider only sending information required for one-time use and explicitly state in the email that the information should not be stored after use.
  3. Use a Secure Email Provider: Opt for an email provider that offers enhanced security features, such as end-to-end encryption and two-factor authentication. Examples include ProtonMail, Tutanota, and Mailfence. Keep in mind that even with a secure email provider, the recipient’s email security is also a factor.
  4. Verify the Recipient’s Identity: Before sending any sensitive information, verify the recipient’s identity to ensure that you are sending it to the correct person. This can be done by calling them or using another method of verification.
  5. Use a Temporary or Single-Use Email Address: Consider using a temporary or single-use email address specifically for this transaction. This can help to further protect your primary email address from being compromised.
  6. Clear Communication & Disclaimers: Include a clear disclaimer in the email stating that you are sending sensitive information and that the recipient should take appropriate security measures to protect it. Also, clearly instruct the recipient to delete the email after use.
  7. Regularly Update Security Software: Ensure that your computer and email software are up to date with the latest security patches to protect against vulnerabilities.
  8. Use a Virtual Private Network (VPN): When sending sensitive information over the internet, use a VPN to encrypt your internet traffic and protect your data from eavesdropping.
  9. Immediately Delete the Email After Sending: After sending the encrypted email, immediately delete it from your sent items folder and any other locations where it might be stored. Also, empty your trash or recycle bin to ensure that the email is permanently deleted.
  10. Educate Yourself and Others: Stay informed about the latest security threats and best practices for protecting sensitive information. Educate yourself and others about the risks of sending credit card information via email and the importance of using secure alternatives.

Step-by-Step Guide: Encrypting an Email with Gpg4win (Windows Example)

This example uses Gpg4win, a popular open-source encryption software for Windows. Similar tools are available for other operating systems.

  1. Download and Install Gpg4win: Download Gpg4win from the official website (gpg4win.org) and follow the installation instructions.
  2. Generate a Key Pair: After installation, open Kleopatra, the certificate manager that comes with Gpg4win. Select File -> New Key Pair. Follow the prompts to create a new key pair, providing your name and email address. Choose a strong passphrase to protect your private key. This passphrase is *essential*; if you lose it, you lose access to your encrypted emails.
  3. Export Your Public Key: To allow others to send you encrypted emails, you need to share your public key. In Kleopatra, right-click on your key and select Export. Save the public key file (usually with a .asc extension). You can then share this file with anyone who needs to send you encrypted emails.
  4. Import the Recipient’s Public Key: Before you can send an encrypted email to someone, you need their public key. Ask the recipient to send you their public key file. In Kleopatra, select File -> Import Certificates and select the recipient’s public key file.
  5. Encrypt the Email:
    • Using the Clipboard: Open GPA (GNU Privacy Assistant), another component of Gpg4win. Copy the credit card information and any other sensitive data to your clipboard. In GPA, click Clipboard -> Encrypt. Select the recipient’s public key from the list. Click Encrypt. The encrypted text will be copied to your clipboard. Paste this text into your email.
    • Using a File: Create a text file containing the credit card information. In GPA, click File -> Encrypt. Select the file and the recipient’s public key. Click Encrypt. This will create an encrypted file (usually with a .gpg extension). Attach this file to your email.
  6. Send the Email: Compose your email, including either the encrypted text or the encrypted file attachment. *Remember to send the passphrase to decrypt the information via a separate channel (phone call, SMS, etc.)*.
  7. Recipient Decryption: The recipient will need Gpg4win (or a compatible program) and your public key to decrypt the email. They will use their private key and the passphrase you provided to decrypt the information.

Example Scenario: A Small Business Accepting Phone Orders

Let’s say you run a small online store and a customer calls in to place an order over the phone. They want to pay with a credit card.

Incorrect (and Insecure) Method:

The customer reads out their credit card information, and you type it directly into an email and send it to your accounting department.

Correct (and More Secure) Method:

  1. Inform the Customer: Explain to the customer that you prioritize their security and don’t typically accept credit card information via email.
  2. Offer Alternatives: Suggest they use a secure online payment gateway, pay via PayPal, or fax the information.
  3. If They Insist on Phone:
    • Use a secure phone line (avoid using a mobile phone on public Wi-Fi).
    • Enter the credit card details directly into your secure payment processing system *while still on the phone with the customer.* Do not write it down or store it anywhere insecurely.
    • Immediately process the payment and confirm with the customer that the transaction is complete.

Compliance with PCI DSS

If your business accepts credit card payments, you are likely subject to the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS prohibits sending unencrypted cardholder data via email. Failure to comply with PCI DSS can result in fines and penalties. Implementing the secure alternatives outlined above is crucial for maintaining PCI DSS compliance.

Conclusion: Avoid Emailing Credit Card Information Whenever Possible

Sending credit card information via email is a high-risk activity that should be avoided whenever possible. Numerous secure alternatives exist, such as online payment gateways, phone communication, and secure file transfer services. If you absolutely must email credit card information, take extreme precautions, including encrypting the email and attachments, minimizing the information included, and using a secure email provider. However, always remember that the best approach is to *avoid* sending credit card information via email altogether and prioritize the security of your customers’ sensitive data.

By understanding the risks and implementing secure alternatives, you can protect your customers, your business, and your reputation.

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments