FAQ #1139 Diff

Any cardholder data that is stored, processed, or transmitted must be protected in accordance with PCI DSS. If faxes orare sent or received via modem over a traditional PSTN phone line, these are not considered to be traversing a public network. On the other hand, if a fax is sent or received via the Internet, it is traversing a public network and must be encrypted per PCI DSS Requirement 4.1. Any systems “ such as fax servers or workstations “ that the cardholder data passes through must be secured according to PCI DSS. Also, any cardholder data on the fax that is electronically stored must comply with PCI DSS Requirement 3.4 to render the cardholder data unreadable. If the fax system is combined with an email system (for example, via a fax-to-email gateway), the emails arewould also be subject to Requirement 4.2. (Refer to FAQ #1085 Can unencrypted PANs be sent or received via modem over a traditional analogue phone line, these are not considered to be traversing a public network. On the other hand, if a fax or email is sent or received via the internet, they are traversing a public network and these transmissions must be encrypted per PCI DSS requirements 4.1 and 4.2. Any systems ? such as fax or email servers ? that the cardholder data passes through must be secured according to PCI DSS. Also, any cardholder data on the fax or email that is electronically stored must comply with PCI DSS requirement 3.4 to render the cardholder data unreadable.e-mail, instant messaging, SMS, or chat?)

In addition, requirementRequirement 3.2 prohibits storage of sensitive authentication data (full track, card verification codes/values and PIN block data) after authorizationauthorization. If sensitive authentication data is received on a fax (for fax transmissions this would only be the 3- or 4- digit card verification codes/values printed on the front or back of sensitive authentication data (magnetic stripe, CAV2, CVC2, CVV2, CIDpayment cards), the data should be blacked-out or removed prior to retaining the fax in paper form, and PIN block data). To ensurethe original fax transmission should be securely deleted from the system in a manner which ensures the data is non-recoverable. Entities should also protect paper documents that prohibited data is not stored if received on a fax (for faxes and emails, this would only be the CAV2, CVC2, CVV2, or CID values printed on the front or back of payment cards), the data should be blacked-out or removed prior to retaining the faxcontain cardholder data in paper form, and the original fax transmission (via email, etc.) should be securely deleted from the system in a manner which ensures the data is non-recoverable. Entities should also protect paper documents that contain cardholder data in accordance with PCI DSS Requirements 9.5 through 9.8.


(Note: PCI DSS Requirement numbers refer to PCI DSS version 3)