Educause Security Discussion mailing list archives
Re: PCI Question-Credit Cards via Fax
From: "Hudson, Edward" <ewhudson () CSUCHICO EDU>
Date: Fri, 2 Apr 2010 13:26:22 -0700
We accept them via fax. While we are trying to dissuade the practice I don't see it going away too soon. It is a cumbersome process to adequately address under PCI. To be compliant the fax machine should be in a location with limited access as you stated (only those who are processing the transaction). Incoming faxes have to be logged including who took possession for processing. You also have to log that the transaction was done and the ultimate disposition of the fax itself ie. Stored and for how long/shredded etc. You have to have the whole process documented/memorialized and don't forget the requirements around the people who are handling the faxes.. (background checks etc) We have this going on around purchases at our student union and alumni functions as well as occasionally related to student fees though not as frequent since they can pay online... Ed Hudson, CISM Information Security Office California State University, Chico www.csuchico.edu/ires/security<http://www.csuchico.edu/ires/security> Office: (530) 898-6307 Cell: 707-799-3250 ewhudson () csuchico edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of j.price Sent: Friday, April 02, 2010 11:56 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PCI Question-Credit Cards via Fax Does your institution accept credit cards via FAX? There are a number of security issues involved because a student sends first and last name, address, phone number, prior name, credit card number and expiration date. I have thought of designating one fax machine to receive the faxes, have the fax machine in a locked room with limited access. Any other suggestions besides eliminating the process all together? Thanks, Janet -- Janet Price Information Technology Services Maricopa Community Colleges 2419 W 14th St Tempe Arizona, 85281 (480)731-8730 ****IMPORTANT NOTICE**** All email communications with Maricopa Community Colleges employees are a matter of public record and subject to publication or release under both the State and Federal regulations as they pertain to their relative Freedom of Information Acts.
Current thread:
- PCI Question-Credit Cards via Fax j.price (Apr 02)
- <Possible follow-ups>
- Re: PCI Question-Credit Cards via Fax Hudson, Edward (Apr 02)
- Re: PCI Question-Credit Cards via Fax Dave Ferguson (Apr 03)
- Re: PCI Question-Credit Cards via Fax Felecia Vlahos (Apr 05)