What Is PCI Compliance and How Does It Apply to Fax?

Introduction

Most companies that work with credit card data have heard of PCI compliance. PCI stands for “Payment Card Industry,” but the acronym has generally come to refer to the Payment Card Industry Data Security Standards (PCI DSS), which are required for any organization that accepts credit or debit card payments. PCI compliance is designed to protect against payment card fraud and data breaches.

In keeping with best practices for data security, PCI compliance requires that credit card information be safeguarded against unauthorized access while it is being transmitted, wherever it may be stored, and when it is disposed of.

The Six Principles of PCI Compliance

The PCI DSS outlines six principles, each of which contains a set of requirements that organizations must meet in order to be PCI compliant. The principles are:

1. Build and maintain a secure network infrastructure, including firewalls and secure connections.
2. Protect cardholder data using encryption, access controls, and routine security monitoring.
3. Maintain a vulnerability management program, identifying and addressing potential weaknesses in the organization's systems and applications through regular scanning and testing.
4. Implement strong access control measures to ensure that access to cardholder data is limited to authorized personnel, and that proper authentication measures are in place.
5. Regularly monitor and test networks to detect and prevent security breaches.
6. Maintain an information security policy to ensure that cardholder data and other sensitive information is safeguarded at all times.

How is PCI Compliance Apply to Fax?

If an organization is sending or receiving credit card data using fax technology, it's important that these principles of PCI compliance be rigorously observed. That means security data when it is “in transit,” while it is “at rest,” and upon disposal.

If you're familiar with HIPAA's Security Rule, GLBA requirements, or other privacy regulations, these principles might sound familiar. After all, these are best practices that apply to information security generally, and which the best providers of secure cloud fax services will follow religiously.

1. Data must be secured and encrypted during transmission: If an organization needs to transmit credit card information via fax, it must ensure that the transmission is secured using TLS encryption to protect against unauthorized interception and access.
2. Stored data must also be secured and encrypted: If an organization needs to store credit card information received via fax, it must ensure that it is stored securely and in accordance with PCI DSS guidelines to prevent unauthorized access. That means using industry-standard AES 256 bit encryption to guarantee privacy and prevent disclosure. It also means storing data in secure, access controlled data centers with biometric scanners, 24x7 surveillance, and server cages to limit physical access. Your cloud fax service provider should have policies and procedures in place that reflect a “security first” approach to operations.
3. Data must be securely deleted or disposed of when it is no longer needed: If an organization no longer needs to keep credit card information received via fax, it must ensure that the data is disposed of properly in accordance with PCI DSS guidelines to prevent unauthorized access.

Any organization that sends or receives credit card information using fax technology must ensure that they have proper security measures in place to protect against data breaches and ensure PCI compliance. The best approach is to work with a security-conscious cloud fax service provider like WestFax. To make sure your organization's fax communications are fully PCI compliant, contact us today to learn more.