PCI DSS requirement 4.2 states that credit card information must not be captured, transmitted or stored via email. More important to understand, however, is that email is transmitted and stored unprotected in clear text and leaves a trail of copies (in inboxes, sent folders, drafts folders, email trash, web browser caches, computer recycle bins, etc.).
Credit card information consists of one or more of the following: full credit card number, expiration date, and the code (CVC) on the back of a credit card.
As an institution of higher education, we should educate our customers about the dangers of using email to conduct financial transactions. As merchants, we should discourage the sending of credit card information to the point of not processing credit card transactions when the information has been provided over email. IT Security will update our website to reflect PCI/DSS best practices.
Furthermore, never respond to your customers by including their original email (without deleting or truncating credit card numbers and deleting CVC codes) as you are exacerbating the problem by doing so.
First, consider removing your email address from any form/application or website that mentions credit cards. Second, add the following (or similar) text in a very visible fashion to your form/application or website, discouraging the sending of credit card information over email:
For your protection, The University of Maryland does not accept and will not process credit card information provided via email or text messages. Please contact us at (301)XXX-XXXX or drop by our office and we will gladly assist you.
Delete email containing credit card information from your inbox, sent folder, drafts folder and any other folders that you may have created. Once that is done, empty your email trash, empty your web browser cache (temporary browser files) and empty your computer's recycle bin or trash.