12.2 The payment application must never send unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat).
PCI Data Security Standard Requirement 4.2
Testing Procedures:
12.2.a If the payment application allows and/or facilitates sending of PANs by end-user messaging technologies, verify that an encryption solution is provided, or that use thereof is specified.
12.2.b If the payment application allows and/or facilitates the sending of PANs by end-user messaging technologies, examine PA-DSS Implementation Guide prepared by the vendor, and verify the vendor includes directions for customers and resellers/integrators to use an encryption solution.