Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Faxing and PCI DSS compliance
From: Nervous <roberteric () hotmail com>
Date: Wed, 23 Jan 2008 10:45:30 -0800 (PST)


Hello all,

I'm facing the same problem here. The company wants to keep using the fax
even if the cards number are in clear on the fax. The fax are sent to a
Public Folder in Exchange where there is only 12 people that have the proper
access. Since there is no way to secure more than that would it still be PCI
compliant?

Will moving the content of the Public Folder to a secured shared folder on
the fax machine and put that machine in a secure segment of the network be
enough?

Thanks,
ER 

cwright-2 wrote:

JW,

Your first problem will stem from having to encrypt the numbers in
transit. The fax to email gateway will have to sign these emails.



A set of competating controls could be implemented for this (protected
network with firewalls, IDS etc which could take the place of encrption,
but this would be a significant investment in itself. The PCI-DSS
requirement 3 states "not sending PAN in unencrypted e-mails". 4.2 also
specifically states "4.2 Never send unencrypted PANs by e-mail".



So as I said, there are possible compensating controls, but I believe that
they are going to be far more of an investment then encryption.



Next in this case the fax server and email system would have to be on a
firewalled segment and not (as is common) on the same network as all the
users. 



With physical faxes, 9.6 applies "Physically secure all paper and
electronic media (including computers, electronic media, networking and
communications hardware, telecommunication lines, paper receipts, paper
reports, and faxes) that contain cardholder data." 



You would have to have a minimum level of security on the virtualised
process as for paper handling. So this would cover (as with the above)
encryption, destruction after use etc.



Regards,

Dr Craig Wright (GSE-Compliance)



--- in reply to ---

Speaking of faxes.. how do y'all deal with PCI compliance with respect to
FAX to email/web applications?

 

For example, if you have a customer who insists on faxing full credit card
info on their regular fax machine to a company that is utilizing a service
that converts that fax to PDF and emails it to you?

 

j


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------




-- 
View this message in context: http://www.nabble.com/Faxing-and-PCI-DSS-compliance-tp13923129p15048891.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]