From: Dennis Opacki (dopacki@adotout.com)
Date: Fri Jan 25 2008 - 15:04:48 EST
I would say that if this is a standard business process for your
organization, you might have a problem. As Craig pointed out, I
could see a QSA arguing that the requirement to encrypt data across
public networks might come into play in this situation. Perhaps
compensating controls could be found to make it more painful for
someone to intercept the faxes in bulk and programmatically extract
the account numbers? Maybe its overkill, but what comes to mind is a
modification to the fax order form that leaves the CC# section human-
readable while thwarting character recognition software.
-Dennis
On Jan 24, 2008, at 12:15 PM, jw wrote:
> Well, let me be more specific. Let's say your company
> utilizes another company's service where you can
> receive faxes via email in the form of PDF sent to
> you.
>
> So let's say your customer faxes you full 16 digit cc#
> with expiration on their regular fax machine. What is
> your company's PCI liability on this as that fax, with
> cc info gets to you in the following manner:
>
> customer fax cc# --> 3rd party fax service --> to your
> company in PDF via email
>
> So in essence, should your company be liable for
> non-compliance even though this is not something you
> can control?
>
> j
>
> cwright@bdosyd.com.au wrote:
> JW,
> Your first problem will stem from having to encrypt
> the numbers in transit. The fax to email gateway will
> have to sign these emails.
>
> A set of competating controls could be implemented for
> this (protected network with firewalls, IDS etc which
> could take the place of encrption, but this would be a
> significant investment in itself. The PCI-DSS
> requirement 3 states "not sending PAN in unencrypted
> e-mails". 4.2 also specifically states "4.2 Never send
> unencrypted PANs by e-mail".
>
> So as I said, there are possible compensating
> controls, but I believe that they are going to be far
> more of an investment then encryption.
>
> Next in this case the fax server and email system
> would have to be on a firewalled segment and not (as
> is common) on the same network as all the users.
>
> With physical faxes, 9.6 applies "Physically secure
> all paper and electronic media (including computers,
> electronic media, networking and communications
> hardware, telecommunication lines, paper receipts,
> paper reports, and faxes) that contain cardholder
> data."
>
> You would have to have a minimum level of security on
> the virtualised process as for paper handling. So this
> would cover (as with the above) encryption,
> destruction after use etc.
>
> Regards,
> Dr Craig Wright (GSE-Compliance)
>
> --- in reply to ---
> Speaking of faxes.. how do y'all deal with PCI
> compliance with respect to FAX to email/web
> applications?
>
> For example, if you have a customer who insists on
> faxing full credit card info on their regular fax
> machine to a company that is utilizing a service that
> converts that fax to PDF and emails it to you?
>
> j
>
>
>
>
> ______________________________________________________________________
> ______________
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile. Try it now. http://
> mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>
>
> ----------------------------------------------------------------------
> --
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ----------------------------------------------------------------------
> --
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:22 EDT