Penetration Testing mailing list archives
Re: Faxing and PCI DSS compliance
From: "rajat swarup" <rajats () gmail com>
Date: Sat, 26 Jan 2008 23:56:12 -0500
On Jan 24, 2008 3:15 PM, jw <rx.jeff () yahoo com> wrote:
Well, let me be more specific. Let's say your company utilizes another company's service where you can receive faxes via email in the form of PDF sent to you. So let's say your customer faxes you full 16 digit cc# with expiration on their regular fax machine. What is your company's PCI liability on this as that fax, with cc info gets to you in the following manner: customer fax cc# --> 3rd party fax service --> to your company in PDF via email So in essence, should your company be liable for non-compliance even though this is not something you can control?
The requirement 3 is about "sending" PAN and not about receiving. Your responsibility would be to abide by all PCI requirements unless you destroy the e-mails according to the PCI DSS requirements (i.e., military wiping stuff).
cwright () bdosyd com au wrote: JW, Your first problem will stem from having to encrypt the numbers in transit. The fax to email gateway will have to sign these emails. A set of competating controls could be implemented for this (protected network with firewalls, IDS etc which could take the place of encrption, but this would be a significant investment in itself. The PCI-DSS requirement 3 states "not sending PAN in unencrypted e-mails". 4.2 also specifically states "4.2 Never send unencrypted PANs by e-mail". So as I said, there are possible compensating controls, but I believe that they are going to be far more of an investment then encryption. Next in this case the fax server and email system would have to be on a firewalled segment and not (as is common) on the same network as all the users. With physical faxes, 9.6 applies "Physically secure all paper and electronic media (including computers, electronic media, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes) that contain cardholder data." You would have to have a minimum level of security on the virtualised process as for paper handling. So this would cover (as with the above) encryption, destruction after use etc.
These things are required if at all you store the CC data. You cannot control the actions of others who decide to send you their CC numbers. Your responsibility is to handle the data responsibility. Hope it helps, Rajat. -- Rajat Swarup http://rajatswarup.blogspot.com/ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Re: Faxing and PCI DSS compliance Nervous (Jan 23)
- <Possible follow-ups>
- Faxing and PCI DSS compliance jw (Jan 25)
- Re: Faxing and PCI DSS compliance Dennis Opacki (Jan 28)
- Re: Faxing and PCI DSS compliance rajat swarup (Jan 28)
- Re: Faxing and PCI DSS compliance David M. Zendzian (Jan 28)