Which statement best describes the policy for sending PANs using end-user messaging technologies?

• A. PANs may be sent via unprotected channels if recipients are trusted.
• B. PANs can be transmitted via secure channels only.
• C. Never send unprotected PANs by end-user messaging technologies.
• D. End-user messaging is allowed for PAN sharing if encrypted.

Answer: (C)

The policy hinges on not exposing cardholder data through consumer-style messaging channels. End-user messaging technologies—text, chat apps, email, and similar tools—are outside controlled, PCI‑compliant environments, and data can be intercepted, stored on devices you don’t control, or logged along the way. Because of that risk, the rule is to never send PANs unprotected through these channels. If card data must be shared, use PCI‑compliant secure methods (such as tokenization, secure portals, or encrypted transmission within a controlled system) and minimize exposure by redacting PANs to the last four digits when possible. That’s why this statement is the best fit: end-user messaging should not be used for transmitting PANs in any unprotected form.