Virtual Fax

PCI Compliant Fax – what does it mean?

PCI Compliant Fax – what does it mean?

Virtual Fax provides numerous security benefits for businesses, but many sectors require additional measures to ensure that data is sent and received without risk for breaches. In fact, all companies that process and handle payment data are required to comply with PCI-DSS (Payment Card Industry Data Security Standard), a standard created by the biggest card issuers to keep cardholder data protected from malicious practices. Today, we will explain exactly what a PCI Compliant Fax means for businesses.

Protecting payment data

Cloud-based fax is by default one of the safest methods to send and receive sensitive documents between parties. In fact, the authenticity of sending fax is hardly ever questioned – and some solutions like eComFax go even further by certifying documents with Proof of Delivery for additional security.

However, credit card data cannot be treated like an ordinary text. Since the majority of data breaches happen because cardholder information was compromised, it is extremely important to take additional measures to prevent the leakage of sensitive data that could cost companies millions of dollars.

PCI-DSS Compliance – what is it, and who is affected?

The Payment Card Industry Data Security Standard, or commonly known as PCI-DSS, is a set of requirements created collaboratively by VISA, Mastercard, American Express, Discover, and JCB with the purpose of establishing security practices for handling credit card data.

As of February this year, the PCI standard will be obligatory for all companies that process and handle credit card data, including (but not limited to) call centers, e-commerce businesses, startups, travel agencies and hotels.

In fact, PCI-DSS affects all practices that require operations with payment information, even if no payment is involved at the moment of collecting the data. For example, hotels that make a copy or write down your credit card details on a piece of paper need to be compliant as well. Otherwise, they face possible penalties for non-compliance with the standards, especially if bad practices lead to a breach.

PCI Compliant Fax – how are fax services affected by PCI-DSS?

As we already mentioned, every time that payment data is involved for processing an operation, PCI requirements need to be met. This applies to fax as well – whether we talk about cloud-based or on-premise.

On-premise fax

There are some challenges with making on-premise fax compliant with PCI-DSS. On one hand, it often implies that documents are shared between parties in an open space, which makes unauthorized access easier. On another hand, physical infrastructures either aren’t able to keep up with dynamic changes easily, or they require additional efforts that take up extra time and resources.

For businesses operating in industries like healthcare, finance, and other markets that are governed by strict security regulations, on-premise fax usually places compliance responsibilities to their internal IT departments. This usually implies higher security risks as internal IT teams usually don’t have the necessary expertise for PCI compliance. Additionally, encryption is significantly more difficult with on-premise fax services.

Cloud-based fax

As opposed to on-premise, cloud-based fax services are usually provided by Virtual Fax vendors that not only are PCI Compliant, but are also capable of adapting immediately to new changes.

Because cloud infrastructures can be updated much more easily than on-premise systems, vendors of PCI Compliant Fax like eComFax can always upgrade their services to the newest versions of PCI-DSS without significant expenses. This automatically makes it easier for companies that use cloud-based fax services to comply with the standard without spending money on upgrading their infrastructure.

How do Virtual Fax vendors comply with PCI?

PCI-DSS compliance requirements cover the following technical and operational system components:

Build and Maintain a Secure Network1. Install and maintain a firewall configuration to protect cardholder data.   2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data3. Protect stored cardholder data   4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program5. Use and regularly update anti-virus software or programs   6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures7. Restrict access to cardholder data by business need-to-know   8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks10. Track and monitor all access to cardholder data   11. Regularly test security systems and processes
Maintain an Information Security Policy12. Maintain a policy that addresses information security for employees and contractors


Of course, different companies undertake different approaches in order to achieve PCI-DSS compliance, but generally speaking, a PCI Compliant Fax:

  • Uses AES 256-bit and SQL database encryption technologies;
  • Is protected with strict Password controls;
  • Allows for Logging reviews;
  • Is capable of detecting code changes;
  • Uses SSL/TLS encryption for web traffic;

Additionally, data is stored in secure data centers with highly restricted control to prevent unauthorized access.

If my provider is PCI compliant, do I have to be compliant as well?

Even if you are using an already PCI Compliant Fax, it is your responsibility to ensure that you are handling credit card data safely across all departments, activities, operations, and services. After all, Virtual Fax is only one of the many services that will need to be protected against data breaches.

Therefore, it is your duty to ensure that all your vendors, service providers and partners that have access to the credit card data of your customers are also compliant.

See more about eComfax here.

September 29, 2020

Author: José Luis Pérez