Faxing and PCI DSS compliance

From: jw (rx.jeff@yahoo.com)
Date: Thu Jan 24 2008 - 15:15:32 EST

• Next message: Perez, Carlos (Puerto Rico): "RE: VoIP Pen test"
• Previous message: David Howe: "Re: Question re: load balancers as a security device"
• Next in thread: Dennis Opacki: "Re: Faxing and PCI DSS compliance"
• Reply: Dennis Opacki: "Re: Faxing and PCI DSS compliance"
• Reply: rajat swarup: "Re: Faxing and PCI DSS compliance"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Well, let me be more specific. Let's say your company
utilizes another company's service where you can
receive faxes via email in the form of PDF sent to
you.
 
So let's say your customer faxes you full 16 digit cc#
with expiration on their regular fax machine. What is
your company's PCI liability on this as that fax, with
cc info gets to you in the following manner:
 
customer fax cc# --> 3rd party fax service --> to your
company in PDF via email
 
So in essence, should your company be liable for
non-compliance even though this is not something you
can control?
 
j

cwright@bdosyd.com.au wrote:
JW,
Your first problem will stem from having to encrypt
the numbers in transit. The fax to email gateway will
have to sign these emails.

A set of competating controls could be implemented for
this (protected network with firewalls, IDS etc which
could take the place of encrption, but this would be a
significant investment in itself. The PCI-DSS
requirement 3 states "not sending PAN in unencrypted
e-mails". 4.2 also specifically states "4.2 Never send
unencrypted PANs by e-mail".

So as I said, there are possible compensating
controls, but I believe that they are going to be far
more of an investment then encryption.

Next in this case the fax server and email system
would have to be on a firewalled segment and not (as
is common) on the same network as all the users.

With physical faxes, 9.6 applies "Physically secure
all paper and electronic media (including computers,
electronic media, networking and communications
hardware, telecommunication lines, paper receipts,
paper reports, and faxes) that contain cardholder
data."

You would have to have a minimum level of security on
the virtualised process as for paper handling. So this
would cover (as with the above) encryption,
destruction after use etc.

Regards,
Dr Craig Wright (GSE-Compliance)

--- in reply to ---
Speaking of faxes.. how do y'all deal with PCI
compliance with respect to FAX to email/web
applications?

For example, if you have a customer who insists on
faxing full credit card info on their regular fax
machine to a company that is utilizing a service that
converts that fax to PDF and emails it to you?

j

      ____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Perez, Carlos (Puerto Rico): "RE: VoIP Pen test"
• Previous message: David Howe: "Re: Question re: load balancers as a security device"
• Next in thread: Dennis Opacki: "Re: Faxing and PCI DSS compliance"
• Reply: Dennis Opacki: "Re: Faxing and PCI DSS compliance"
• Reply: rajat swarup: "Re: Faxing and PCI DSS compliance"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:21 EDT