Questions? Contact Us


Latest News

Featured News & Events

PCI Compliance and Receiving Credit Card Payments by Fax

The low cost of web and email based fax delivery services may seem like a good way to save your business money but not if you receive credit card payments by fax. This would fall under the Payment Card Industry standard section 4 that requires transmission of cardholder data across open-public networks to be encrypted and section 12 for contracts that require partners or service providers who handle card data for your company be PCI compliant and accept all PCI security requirements. You will not find an affordable PCI compliant solution without using your own dedicated fax machine.

Many on-line fax services send received faxes by unencrypted email with cleartext (TIFF/JPG or PDF) attachments which are not PCI compliant. One reason for this is PCI clearly states that credit card numbers are not to be emailed in clear-text, they must be encrypted. A fax converted to PDF & emailed is not encrypted and if done that way then both the service provider and the receiver are non-compliant.  During an audit you can't say you didn't know, you signed up for the service knowing you were going to receive card numbers.

So, how do you receive credit card payments by fax? The first step is get a phone line w/a $50 fax machine from your local office supplier and come up with a security policy for how to secure the fax machine and incoming faxes. This is cheaper and easier to deal with than trying to make some digital systems PCI compliant. The fax needs to be classified as confidential and handled how your data retention policy dictates, assuming your retention policy is PCI compliant. An example would be a secured fax machine in accounting or other area set aside for receiving secure faxes. Additionally faxes containing credit card numbers need to be stored or archived properly and when disposed of, it needs to again follow your data retention policy and be securely destroyed (cross cut / incinerate, whatever:).

If your company is receiving card data on behalf of your customers, you are liable for all the paths it takes to get to you. Claiming you didn't know or that it's out of your hands is not enough when there are secure solutions. Don't use a fax service unless they can send encrypted emails and securely purge the fax data when sent; otherwise get a real fax machine & secure it and instruct those who have access what it may contain and how to handle it appropriately, and yes training for your employees is a PCI requirement.

In the end, you will find a phone line with $50 fax from your local office supplier is cheaper and easier to deal with than trying to make some digital systems PCI compliant.
PCI Data Security Standard version 1.2 now active.
DSBL is Gone

Related Posts


Tag Cloud

Presentation physical security mail server Domani Names credit card intrusion detection computer security Health Care Cybersecurity Information Technology protect data arduino exchange follow.The HIPAA Privacy Rule HIPAA Solutions bash physical IT Solutions healthcare solutions Linux spoofing OSSEC Payment Card Industry TiaraCon SSL dss dsbl Charleston ipad health care providers Continuous Monitoring Alarm cyber protection Car Hacking vyatta router firewall filter security PCI HIPAA National Cyber Security Awareness Month amazon ec2 BSides phishing Healthcare Records business community Cloud Computing Ubuntu passwords PCI DSS 3.2 motivation Assigned Names Small Business vulnerability scanning safe computing Online Business shared server cli change business cyber security shared hosting VPS Servers PCI Audit cloud eCommerce shared folders cybersecurity assesment employee training backup solutions Vulnerability Cybersecurity Business Solutions data breach recovering data eCommerce Solutions HIPAA lamp smartphone search Email hosting control panel security circles HIDS businesses computer networks DRP computing in the cloud personal information embedded password openssl Hackers PCI Hosting social engineering Sysadmin IT solutions Scalable Redundant Cloud Infrastructure logical security compliance Internet infrastructure Server Mangement kerio Reports management cyber liability insurance Compliance education spf business solutions Hosting email accounts Medical Solutions Credit Cards cloud infrastructure cyber monitoring DEF CON Web Hosting iphone Zendzian InterWorx Business Planning permissions Cybersecurity credit card payment HIPAA solutions phishing attacks data privacy HIPPA Business Solutions PCI Solutions INFOSEC IT security cyber Disaster Recovery Plan Internet Positive Customer Impact activesync Geekend trends Medical Records log files shared secure hosting Accountability Act PCI Compliance PCI anti virus PCI Data Security Standards Announcement apache black friday members area Xen Interworx-CP PCI compliance support QSA windows 7 credit cards stolen caller-id infrastructure Control Panel ICANN Internet Corporation video cell phone email Health Insurance Portability qsa data protection command line security ZZ Servers Co-Founder cyber monday Security ZZ Servers TLS teensy pci complliant hosting vps network World Backup Day malicious software Firetalk IT David Zendzian compliant hosting Las Vegas spam Shmoocon information technology blackberry Debian GDPR IT services Home Depot Breach PCI Service Provider sender policy IT Services CentOs Windows small business business solitions multi-factor authentication Credit Card Security two factor authentication