JW,
Your first problem will stem from having to encrypt the numbers in transit. The
fax to email gateway will have to sign these emails.
A set of competating controls could be implemented for this (protected network
with firewalls, IDS etc which could take the place of encrption, but this would
be a significant investment in itself. The PCI-DSS requirement 3 states "not
sending PAN in unencrypted e-mails". 4.2 also specifically states "4.2 Never
send unencrypted PANs by e-mail".
So as I said, there are possible compensating controls, but I believe that they
are going to be far more of an investment then encryption.
Next in this case the fax server and email system would have to be on a
firewalled segment and not (as is common) on the same network as all the users.
With physical faxes, 9.6 applies "Physically secure all paper and electronic
media (including computers, electronic media, networking and communications
hardware, telecommunication lines, paper receipts, paper reports, and faxes)
that contain cardholder data."
You would have to have a minimum level of security on the virtualised process
as for paper handling. So this would cover (as with the above) encryption,
destruction after use etc.
Regards,
Dr Craig Wright (GSE-Compliance)
--- in reply to ---
Speaking of faxes.. how do y'all deal with PCI compliance with respect to FAX
to email/web applications?
For example, if you have a customer who insists on faxing full credit card info
on their regular fax machine to a company that is utilizing a service that
converts that fax to PDF and emails it to you?
j
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
