Assessing a Fax Service Provider: Part Seven

PCI DSS Compliance

Credit card transactions and processing are extremely vulnerable to fraud, especially with the expansion of digital technology and internet commerce. The PCI DSS security standard was established in 2006 for credit card transactions by the five largest companies that issue credit cards. It applies to anyone handling, interacting with, or storing card payment data. At a basic level, the standard requires continual vulnerability assessments, efforts to eliminate system weaknesses, and regular compliance audit reporting. These standards must also be incorporated in the design and development of any systems or devices used for these transactions in any way. If PCI DSS applies to you, you need to ensure any internet fax service provider is also compliant. Here are some best practices for assessing PCI DSS compliance:

• Assess the scope of PCI DSS Compliance – Your fax service and data center providers must both be compliant. As a circuit for data transmission only, your telecom provider does not need compliance verification.
• Validate compliance validity – PCI DSS certification occurs on an annual basis, with quarterly tests. Be certain all documentation is available and up-to-date.
• Examine your potential provider’s history – Request information from a vendor about any breaches, audits, or related issues that have occurred in the past.

SOC 2 Compliance

Service organizations are ubiquitous in the business world, with many companies now dependent on technology, cloud-computing, and SaaS service providers. System and Organization Controls 2 (SOC 2) compliance applies to service organization for the protection and privacy of data. The goal of SOC 2 compliance is to avoid situations where the data sent to service organizations is misused, whether deliberately or by accident. Here are best practices for ensuring SOC 2 compliance in potential cloud fax providers:

• Assess the scope of SOC 2 compliance – SOC 2 applies to your data center as well as your potential electronic fax service provider. Be certain that both are certified for compliance with SOC 2 standards.
• Check compliance certificates – SOC 2 Compliance is certified on an annual basis through an SSAE-16 SOC 2 Type II Audit. Make sure all documentation, including a certificate and report, is available and up-to-date.

FedRAMP Compliance

FedRAMP authorizes cloud-based programs as vendors to link to the federal IT infrastructure for government projects. After being authorized as a vendor, organizations become widely eligible, with their information stored in a government database for use as needed. This program sets uniform standards for security controls and uses a third-party evaluator to assess and monitor ongoing compliance. Authorization is valid for three years, after which it must be renewed. Current FedRAMP requirements make it difficult for cloud service providers to qualify, including internet fax service vendors. Government organizations restricted to FedRAMP authorizations have three options:

• A physical fax solution built on the premises – this solution would include expensive fax server and telephony infrastructure and costs
• Waiver — Apply for a waiver to allow non FedRAMP compliance in a cloud fax service. There is no guarantee that this would be granted.
• Non-action — Choose not to change the fax system already in place.

Compliance is a serious matter for anyone considering a move to a new cloud fax provider. Depending on the industry involved, you need to ensure that your potential vendor is compliant and certified to all applicable standards. PCI DSS, SOC 2 and FedRAMP compliance standards have been established to protect data in a business and operational environment that is increasingly dependent on technology. Ensuring compliance with these standards and others, as required, is the best way to protect your customers and yourself from those looking to take advantage of lax security measures.