Re: PCI Question-Credit Cards via Fax

[Dave Ferguson <gmdavef () GMAIL COM>]

FWIW... I am a QSA, and personally speaking, I am not a fan of faxing my
credit card information to anyone.  However, to pay for my annual
re-qualification training, I did just that... per instructions on the PCI
SSC's invoice.

Dave

On Fri, Apr 2, 2010 at 3:26 PM, Hudson, Edward <ewhudson () csuchico edu>wrote:

>  We accept them via fax. While we are trying to dissuade the practice I
> don’t see it going away too soon. It is a cumbersome process to adequately
> address under PCI.
>
> To be compliant the fax machine should be in a location with limited access
> as you stated (only those who are processing the transaction). Incoming
> faxes have to be logged including who took possession for processing. You
> also have to log that the transaction was done and the ultimate disposition
> of the fax itself ie. Stored and for how long/shredded etc. You have to have
> the whole process documented/memorialized and don’t forget the requirements
> around the people who are handling the faxes.. (background checks etc)
>
> We have this going on around purchases at our student union and alumni
> functions as well as occasionally related to student fees though not as
> frequent since they can pay online…
>
>
>
> Ed Hudson, CISM
> Information Security Office
> California State University, Chico
> www.csuchico.edu/ires/security
> Office: (530) 898-6307
> Cell: 707-799-3250
> ewhudson () csuchico edu
>
>
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *j.price
> *Sent:* Friday, April 02, 2010 11:56 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] PCI Question-Credit Cards via Fax
>
>
>
> Does your institution accept credit cards via FAX?
>
> There are a number of security issues involved because a student sends
> first and last name, address, phone number, prior name, credit card number
> and expiration date.
>
> I have thought of designating one fax machine to receive the faxes, have
> the fax machine in a locked room with limited access.
>
> Any other suggestions besides eliminating the process all together?
>
> Thanks,
> Janet
>
>  --
>
> Janet Price
>
> Information Technology Services
>
> Maricopa Community Colleges
>
> 2419 W 14th St
>
> Tempe Arizona, 85281
>
> (480)731-8730
>
>
>
> ****IMPORTANT NOTICE****
>
> All email communications with Maricopa Community Colleges employees are a matter of public record and subject to 
> publication or release under both the State and Federal regulations as they pertain to their relative Freedom of 
> Information Acts.