A few good questions were asked during the Q&A of my e-commerce seminar on Friday May 31, 2013 at the JCK Show in Las Vegas. I had to cover many e-commerce topics very briefly and some of those topics turned into more specific on the spot questions.
I presented some of the annoying points about PCI Compliance including the fact that if you want to fully pass a PCI Compliance test you should not have your email address visible on your website.
When you think about it, that's actually a pretty strange restriction, after all, how are you supposed to let your customers contact you via email if you don't post your address on your website?
The truth of the matter is that you should give your visitors an online form to fill out instead of your direct email. The form can be programmed to privately send to your email address without the visitor ever seeing your actual email.
This PCI Compliance email restriction is supposed to prevent you from having your email address shown as plane text or as a clickable email link. There are many companies out there that build lists of emails by looking for plane text emails and email links on websites. Those lists are eventually sold to spamming companies and you will be added to dozens or hundreds of spam lists. Once added to a spam list you will receive random solicitation emails, and every once in a while you will also be the victim of virus attacks.
But why should the PCI Compliance regulators care if your email address is on a spam list?
The job of PCI Compliance is to make sure all the best precautions are taken in order to prevent accidental exposure of financial information. Virus attacks through email are an easy method of gaining access to your internal network. If your anti-virus software expires or breaks you could accidentally allow criminals inside every computer in your store and your server.
A very sophisticated email Trojan could hide on your computer and allow outside access without you ever noticing.
So, even though it seems like a silly restriction, the reason PCI Compliance disallows clear text emails on your website is to protect against future email attacks.