“Is it OK to email inactive credit card numbers?”

May 1, 2014 • Published Categories PCI 101 Tags , , , , ,

Question: Is a card that has been closed by an issuer that is no longer active still subject to the same compliance standards as an active card when looking to email a card number in the clear?

Answer: First, I would recommend to NEVER email a credit card number, regardless of its active/inactive status. However, the council has weighed in on this issue via their FAQ site. From the PCI Council’s FAQs:

If the issuer confirms the cards are inactive or disabled, the PANs (Primary Account Numbers) no longer pose fraud risk to the payment system. The PCI DSS would not apply in these cases. If however, the PAN is later reactivated, PCI DSS will again apply.

This is confirmed in the following SecureState post, which includes some additional responses from the card brands: http://blog.securestate.com/pci-dss-applicability-to-closed-accounts/.

Leave a Comment