PCI DSS rRequirement 4.2 prohibits the sending of unprotected primary account numbers (PANs) via end-user messaging technologies, including ewhether sent internally or over public networks. E-mail, instant messaging and chat, whether sent internally or over public networks. Instant messaging and chat areSMS, and chat are all considered end-user messaging technologies and thus required to meet PCI DSS rRequirement 4.2. Per PCI DSS requirement 4.1, strong cryptography and security protocols must be used when cardholder data is sent over open, public networks.

For guidance on what to do if PAN is inadvertently received via an end-user messaging channel, refer to FAQ #1157 -What should a merchant do if cardholder data is accidentally received via an unintended channel?