PCI Compliance

What Is PCI Compliance and How Does It Apply to Fax?

Sending or receiving credit card information using fax technology one must ensure that they have proper security measures in place to protect against data breaches and ensure PCI compliance.

Introduction

PCI compliance is an organization's adherence to the Payment Card Industry Data Security Standard (PCI DSS) — the security requirements any business that accepts, stores, or transmits credit card data must follow to prevent fraud and data breaches. It applies to fax the same way it applies to any other channel: if a fax contains cardholder data, that data must be protected while it's in transit, while it's stored, and when it's disposed of. In practice, that means TLS encryption for transmission, AES-256 encryption for anything kept on file, and documented procedures for disposing of records once they're no longer needed. A fax service that doesn't meet those standards can leave an organization exposed to fines, liability, and reputational damage. Here's what PCI DSS actually requires, and what to look for in a fax provider that takes it seriously.

What Is PCI Compliance?

Most companies that work with credit card data have heard of PCI compliance. PCI stands for “Payment Card Industry,” but the acronym has generally come to refer to the Payment Card Industry Data Security Standards (PCI DSS), which are required for any organization that accepts credit or debit card payments. PCI compliance is designed to protect against payment card fraud and data breaches.

In keeping with best practices for data security, PCI compliance requires that credit card information be safeguarded against unauthorized access while it is being transmitted, wherever it may be stored, and when it is disposed of.

The Six PCI DSS Principles

The PCI DSS outlines six principles, each of which contains a set of requirements that organizations must meet in order to be PCI compliant. The principles are:

  1. Build and maintain a secure network infrastructure, including firewalls and secure connections.
  2. Protect cardholder data using encryption, access controls, and routine security monitoring.
  3. Maintain a vulnerability management program, identifying and addressing potential weaknesses in the organization's systems and applications through regular scanning and testing.
  4. Implement strong access control measures to ensure that access to cardholder data is limited to authorized personnel, and that proper authentication measures are in place.
  5. Regularly monitor and test networks to detect and prevent security breaches.
  6. Maintain an information security policy to ensure that cardholder data and other sensitive information is safeguarded at all times.

Applying PCI Compliance to Fax

If an organization is sending or receiving credit card data using fax technology, it's important that these principles of PCI compliance be rigorously observed. That means security data when it is “in transit,” while it is “at rest,” and upon disposal.

If you're familiar with HIPAA's Security Rule, GLBA requirements, or other privacy regulations, these principles might sound familiar. After all, these are best practices that apply to information security generally, and which the best providers of secure cloud fax services will follow religiously.

  1. Data must be secured and encrypted during transmission: If an organization needs to transmit credit card information via fax, it must ensure that the transmission is secured using TLS encryption to protect against unauthorized interception and access.
  2. Stored data must also be secured and encrypted: If an organization needs to store credit card information received via fax, it must ensure that it is stored securely and in accordance with PCI DSS guidelines to prevent unauthorized access. That means using industry-standard AES 256 bit encryption to guarantee privacy and prevent disclosure. It also means storing data in secure, access controlled data centers with biometric scanners, 24x7 surveillance, and server cages to limit physical access. Your cloud fax service provider should have policies and procedures in place that reflect a “security first” approach to operations.
  3. Data must be securely deleted or disposed of when it is no longer needed: If an organization no longer needs to keep credit card information received via fax, it must ensure that the data is disposed of properly in accordance with PCI DSS guidelines to prevent unauthorized access.

Choosing a PCI-Compliant Fax Provider

Any organization that sends or receives credit card information using fax technology must ensure that they have proper security measures in place to protect against data breaches and ensure PCI compliance. The best approach is to work with a security-conscious cloud fax service provider like WestFax. To make sure your organization's fax communications are fully PCI compliant, contact us today to learn more.

Doug Clayton
Written by

Doug Clayton

Doug writes for WestFax about HIPAA-compliant faxing, healthcare communication, and secure document delivery. WestFax has been a trusted secure cloud fax provider since 1999.