Educause Security Discussion mailing list archives

Re: PCI Question-Credit Cards via Fax

From: "Hudson, Edward" <ewhudson () CSUCHICO EDU>
Date: Fri, 2 Apr 2010 13:26:22 -0700

We accept them via fax. While we are trying to dissuade the practice I don't see it going away too soon. It is a 
cumbersome process to adequately address under PCI.
To be compliant the fax machine should be in a location with limited access as you stated (only those who are 
processing the transaction). Incoming faxes have to be logged including who took possession for processing. You also 
have to log that the transaction was done and the ultimate disposition of the fax itself ie. Stored and for how 
long/shredded etc. You have to have the whole process documented/memorialized and don't forget the requirements around 
the people who are handling the faxes.. (background checks etc)
We have this going on around purchases at our student union and alumni functions as well as occasionally related to 
student fees though not as frequent since they can pay online...

Ed Hudson, CISM
Information Security Office
California State University, Chico
www.csuchico.edu/ires/security<http://www.csuchico.edu/ires/security>
Office: (530) 898-6307
Cell: 707-799-3250
ewhudson () csuchico edu


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of j.price
Sent: Friday, April 02, 2010 11:56 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI Question-Credit Cards via Fax

Does your institution accept credit cards via FAX?

There are a number of security issues involved because a student sends first and last name, address, phone number, 
prior name, credit card number and expiration date.

I have thought of designating one fax machine to receive the faxes, have the fax machine in a locked room with limited 
access.

Any other suggestions besides eliminating the process all together?

Thanks,
Janet


--

Janet Price

Information Technology Services

Maricopa Community Colleges

2419 W 14th St

Tempe Arizona, 85281

(480)731-8730



****IMPORTANT NOTICE****

All email communications with Maricopa Community Colleges employees are a matter of public record and subject to 
publication or release under both the State and Federal regulations as they pertain to their relative Freedom of 
Information Acts.

Current thread:

PCI Question-Credit Cards via Fax j.price (Apr 02)
- <Possible follow-ups>
- Re: PCI Question-Credit Cards via Fax Hudson, Edward (Apr 02)
- Re: PCI Question-Credit Cards via Fax Dave Ferguson (Apr 03)
- Re: PCI Question-Credit Cards via Fax Felecia Vlahos (Apr 05)