Which policy correctly addresses sending PANs via end-user messaging technologies?

When PANs travel through end-user messaging technologies, they must be protected in transit. The best policy requires that the PAN either be rendered unreadable or secured with strong cryptography during transmission. Rendering unreadable means masking or tokenizing the number so it isn’t exposed if the message is intercepted, while using strong cryptography protects the data with robust encryption so that even if the channel is compromised, the PAN remains confidential. End-user messaging apps are often outside the payment environment’s control, so enforcing encryption or unreadable rendering is essential to prevent exposure of card data. Transmitting PANs in plaintext is not acceptable, relying on a single encryption step can be insufficient, and sharing PANs among employees or concluding that PANs should never be sent do not align with proper protection for legitimate business processes.