How much does PCI compliance matter for fax users?

What is PCI DSS Compliance? 

The Payment Card Industry Data Security Standard (often simply referred to as PCI DSS) has been around since 2006. The goal of the standard is simple: to protect credit card information. If you handle credit card information in any way, you could be exposing your business to significant risk if you aren’t in compliance with the standard. In this article we will cover some of the basics but if you are looking for the finer detail, you should spend some time on the PCI’s web site.

Who is the PCI? 

The Payment Card Industry Security Standards Council (PCI SSC) is an organization which represents the primary credit card processing companies: Visa, MasterCard, American Express, Discover and JCB. The organization is not owned or managed by any of the credit card firms, rather it’s operated by a third party on their behalf.

Why should I care about the PCI DSS standard?

Firstly, it’s important to note that the PCI SSC is not a government organization (see above) and there are no government laws mandating that you comply with the PCI DSS standard. Enforcement of PCI Compliance is carried out through fines issued by your credit card company. The size of the fine varies based on the level of non-compliance but generally ranges from $5,000-$100,000 per month.

As we said, the PCI does not fine you directly. Instead your credit company fines your bank who in turn passes the fine on to you. This is much like the contract you have with a car rental company – their car might get the initial ticket but the ticket is immediately passed on to you. The only way out of paying those fines is to sue the credit card company – assuming you have legitimate grounds.

Where the government does play a role is when it comes to credit card data breaches (think Home Depot, Target, Sony, the list goes on). Today, most US states have credit card breach notice requirements. This means that if the credit card data you handle becomes compromised, you are on the hook to notify your customers. The requirements differ from state to state but states like California and Illinois (and six or so others) are embarking on a “second generation” set of requirements for breach notifications designed to clearly inform customers about what has happened to their beloved plastic. Home Depot and Target may be able to weather the fall out from these kinds of breaches but many other businesses cannot.

Is every business subject to PCI Compliance?

You are subject to PCI compliance whether you accept credit cards online, over the counter, over the phone, via fax or using 256-bit encrypted carrier pigeons. The standard also applies even if you utilize a third party for some or all of the transaction process.

Which types of faxing are subject to PCI Compliance?

In short, all of them but here’s a quick breakdown:

Fax Machines
Many might argue that analog fax machines are not subject to the same vulnerabilities as digital faxing. Fax machines are however, subject to PCI compliance regarding restricting physical access to cardholder data. This means anything your fax machine(s) prints which contains cardholder data.

In-house (on-premise) fax software
This includes fax servers, fax appliances and desktop fax software. Each of these fax methods are subject to PCI Compliance if they are attached to your network (which in all but a few cases they will be).

Fax Services
Fax Services are also subject to PCI compliance but with one notable difference – the service will not be directly subject to a vulnerability test. Instead, you will be required to provide the assessor with a copy of the fax service provider’s own PCI Compliance. If you haven’t checked to confirm that your provider is PCI compliant, now is the time to do so.

How does my business comply with the standard?

Currently there are four “Merchant Levels”. Your Merchant level is primarily based on the number of Visa transactions you process each year. Level 1 is the highest level and applies to those processing more than 20 million Visa transactions per year. Level 4 is the lowest and applies to business processing less than 20,000 ecommerce (online) transactions or 1 million non-ecommerce transactions. Debit cards are also included in the number of transactions.

Your level dictates your compliance requirements. All levels require the completion of a self-assessment questionnaire and an “Attestation of Compliance” which is much like an audit report completed by a third party. You may well also have to pass a “Vulnerability Scan” every 90 days. The scan has to be carried out by an approved PCI scanning provider and tests your network for vulnerabilities which may make you susceptible to breaches.

Do third party providers we use need to be compliant in order for our business to be compliant?

The answer is yes if the third party service provider/partner:

1. Accepts credit card payments for you.
2. Stores your customers’ credit card data.
3. Transmits credit card information for you.
4. Handles any part of the transaction (e.g. taking credit card information from you and passing it to the bank for processing).

Summary

Today, PCI Compliance is simply part of the cost of doing business involving credit card transactions. As a business, you are not only required to ensure that your own operations are in compliance, you are responsible for ensuring that your vendors, service providers and partners who touch your customers’ credit card information are also in compliance.