PCI Watch

Tracking changes in the Payment Card Industry
FAQs » FAQ #1139 » Versions » Diff

Diff: FAQ #1139

Can I fax payment card numbers and still be PCI DSS Compliant?

Earlier Version
2014-05-28 00:00:00 UTC
Later Version
2014-08-21 17:35:00 UTC
Removed
Added
Any cardholder data that is stored, processed, or transmitted must be protected in accordance with PCI DSS. If faxes or emails are sent or received via modem over a traditional analogueare sent or received via modem over a traditional PSTN phone line, these are not considered to be traversing a public network. On the other hand, if a fax or email is sent or received via the iis sent or received via the Internet, they areit is traversing a public network and these transmissions must be encrypted per PCI DSS rRequirements 4.1 and. Any systems “ such as fax servers or workstations “ that the cardholder data passes through must be secured according to PCI DSS. Also, any cardholder data on the fax that is electronically stored must comply with PCI DSS Requirement 3.4 to render the cardholder data unreadable. If the fax system is combined with an email system (for example, via a fax-to-email gateway), the emails would also be subject to Requirement 4.2. (Refer to FAnQ #1085 Can unencry systems pted PANs be sent over e-mail, instant messaging, SMS, or chat? such as fax or email servers ? that the cardholder data passes through must be secured according to PCI DSS. Also, any cardholder data on the fax or email that is electronically stored must comply with PCI DSS requirement 3.4 to render the cardholder data unreadable.)

In addition, rRequirement 3.2 prohibits storage after authorization of sensitive authentication data (magnetic stripefull track, CAV2, CVC2, CVV2, CIDcard verification codes/values and PIN block data) after authorization. To ensure that prohibited data is not stored ifIf sensitive authentication data is received on a fax (for faxes and emails, transmissions this would only be the CAV2, CVC2, CVV2, or CID 3- or 4- digit card verification codes/values printed on the front or back of payment cards), the data should be blacked-out or removed prior to retaining the fax in paper form, and the original fax transmission (via email, etc.) should be securely deleted from the system in a manner which ensures the data is non-recoverable. Entities should also protect paper documents that contain cardholder data in accordance with PCI DSS Requirements 9.5 through 9.8.

(Note: PCI DSS Requirement numbers refer to PCI DSS version 3)