Frequently Asked Question

Any cardholder data that is stored, processed, or transmitted must be protected in accordance with PCI DSS. If faxes are sent or received via modem over a traditional PSTN phone line, these are not considered to be traversing a public network. On the other hand, if a fax is sent or received via the Internet, it is traversing a public network and must be encrypted per PCI DSS Requirement 4.1. Any systems " such as fax servers or workstations " that the cardholder data passes through must be secured according to PCI DSS. Also, any cardholder data on the fax that is electronically stored must comply with PCI DSS Requirement 3.4 to render the cardholder data unreadable. If the fax system is combined with an email system (for example, via a fax-to-email gateway), the emails would also be subject to Requirement 4.2. (Refer to FAQ #1085 Can unencrypted PANs be sent over e-mail, instant messaging, SMS, or chat?)

In addition, Requirement 3.2 prohibits storage of sensitive authentication data (full track, card verification codes/values and PIN block data) after authorization. If sensitive authentication data is received on a fax (for fax transmissions this would only be the 3- or 4- digit card verification codes/values printed on the front or back of payment cards), the data should be blacked-out or removed prior to retaining the fax in paper form, and the original fax transmission should be securely deleted from the system in a manner which ensures the data is non-recoverable. Entities should also protect paper documents that contain cardholder data in accordance with PCI DSS Requirements 9.5 through 9.8.
(Note: PCI DSS Requirement numbers refer to PCI DSS version 3)