Can I fax payment card numbers and still be PCI DSS Compliant?
Any cardholder data that is stored, processed, or transmitted must be protected in accordance with PCI DSS. If faxes or emails are sent or received via modem over a traditional analogue phone line, these are not considered to be traversing a public network. On the other hand, if a fax or email is sent or received via the internet, they are traversing a public network and these transmissions must be encrypted per PCI DSS requirements 4.1 and 4.2. Any systems ? such as fax or email servers ? that the cardholder data passes through must be secured according to PCI DSS. Also, any cardholder data on the fax or email that is electronically stored must comply with PCI DSS requirement 3.4 to render the cardholder data unreadable.
In addition, requirement 3.2 prohibits storage after authorization of sensitive authentication data (magnetic stripe, CAV2, CVC2, CVV2, CID and PIN block data). To ensure that prohibited data is not stored if received on a fax (for faxes and emails, this would only be the CAV2, CVC2, CVV2, or CID values printed on the front or back of payment cards), the data should be blacked-out or removed prior to retaining the fax in paper form, and the original fax transmission (via email, etc.) should be securely deleted from the system in a manner which ensures the data is non-recoverable.
Entities should also protect paper documents that contain cardholder data in accordance with PCI DSS Requirements 9.6 through 9.10.