The Payment Card Industry Data Security Standard (PCI-DSS) is a set of protocols that came out of a VISA USA program, and is now universally accepted by all credit card processors. The purpose of it is to protect card holder data regardless of location, and prevent identity theft. Any company that processes credit card data must comply.

According to the PCI Security Standards Council, there are 12 broad requirements for compliance:

1.      Install and maintain a firewall configuration to protect cardholder data

2.      Do not use vendor-supplied defaults for system passwords and other security parameters

3.      Protect stored cardholder data

4.      Encrypt transmission of cardholder data across open, public networks

5.      Use and regularly update anti-virus software or programs

6.      Develop and maintain secure systems and applications

7.      Restrict access to cardholder data by business need-to-know

8.      Assign a unique ID to each person with computer access

9.      Restrict physical access to cardholder data

10.  Track and monitor all access to network resources and cardholder data

11.  Regularly test security systems and processes

12.  Maintain a policy that addresses information security for employees and contractors

Of course, not all of these are relevant to the email admin, but some of them are. The PCI DSS requirements clearly state that they apply to “all system components,” which means any network component, server, or application that is connected to cardholder data in any way. This would include email servers, and applications that run on the email servers including data protection, anti-virus, and anti-spam applications.

The anti-malware applications are exceptionally important to PCI-DSS compliance, even if they do not directly touch cardholder data, since these do provide indirect access in terms of protecting against malware that could infiltrate the system and gain access to the data. Ensuring that anti-malware software is installed, operational, and regularly updated would be part of the PCI-DSS audit process. Strong security, including firewalling, authentication and authorization for the email server itself would also be included as a check-off point, since the email server is a gateway between the internal network and the outside world.
 
The encryption requirement applies for any transmission of cardholder data across the Internet, including VPNs, or email. Although if it were me, I would avoid emailing cardholder data completely, if it does get emailed, it must under any circumstance be encrypted. Requirement number ten would also assume that a logging system be implemented as well, to track activity relating to, among others, the email server, and any potentially illicit email activity that may have taken place.