PCI Compliance and Receiving Credit Card Payments by Fax


The low cost of web and email based fax delivery services may seem like a good way to save your business money but not if you receive credit card payments by fax. This would fall under the Payment Card Industry standard section 4 that requires transmission of cardholder data across open-public networks to be encrypted and section 12 for contracts that require partners or service providers who handle card data for your company be PCI compliant and accept all PCI security requirements. You will not find an affordable PCI compliant solution without using your own dedicated fax machine.

Many on-line fax services send received faxes by unencrypted email with cleartext (TIFF/JPG or PDF) attachments which are not PCI compliant. One reason for this is PCI clearly states that credit card numbers are not to be emailed in clear-text, they must be encrypted. A fax converted to PDF & emailed is not encrypted and if done that way then both the service provider and the receiver are non-compliant.  During an audit you can’t say you didn’t know, you signed up for the service knowing you were going to receive card numbers.

So, how do you receive credit card payments by fax? The first step is get a phone line w/a $50 fax machine from your local office supplier and come up with a security policy for how to secure the fax machine and incoming faxes. This is cheaper and easier to deal with than trying to make some digital systems PCI compliant. The fax needs to be classified as confidential and handled how your data retention policy dictates, assuming your retention policy is PCI compliant. An example would be a secured fax machine in accounting or other area set aside for receiving secure faxes. Additionally faxes containing credit card numbers need to be stored or archived properly and when disposed of, it needs to again follow your data retention policy and be securely destroyed (cross cut / incinerate, whatever:).

If your company is receiving card data on behalf of your customers, you are liable for all the paths it takes to get to you. Claiming you didn’t know or that it’s out of your hands is not enough when there are secure solutions. Don’t use a fax service unless they can send encrypted emails and securely purge the fax data when sent; otherwise get a real fax machine & secure it and instruct those who have access what it may contain and how to handle it appropriately, and yes training for your employees is a PCI requirement.

In the end, you will find a phone line with $50 fax from your local office supplier is cheaper and easier to deal with than trying to make some digital systems PCI compliant.