We are looking to implement a fax solution that addresses the technical and operational needs of PCI noted in the subject. What are some of the fax solutions, vendors and operational deployments which meet PCI requirements?

BACKGROUND:

For each of our properties we have different fax solutions. We either have properties that use eFax where emails are delivered via unencrypted emailed attachments (.pdf, .tiff, etc.) or standard analog faxes in semi-secure areas throughout various departments.

For the record we have considered various options and noted many requirements in addition to heading some of the tips that were presented in the following post:
From: David M. Zendzian, Mon, 28 Jan 2008 15:57:21 -0500 @ http://seclists.org/pen-test/2008/Jan/0235.html
(I confess, I do read other related sites ) :)

Thanks you for your time.

Fax servers are great generators of efficiency, but under the PCI DSS, they can become a pain in the posterior if they get involved with cardholder data. That's not to say that they cannot be made compliant, it's just that it is not as easy and straight forward as we would like.

First, I would highly recommend that you avoid as best you can routing faxes through your email system. This will put your email servers and email clients in scope for compliance. Something I think we would all agree should be avoided if at all possible. However, a work around for this is having a policy/procedure that says that all faxes that contain cardholder data are immediately printed out and deleted from the email system. This should be documented as a compensating control to keep the email system out of scope. The printed faxes should be destroyed as soon as the information on the fax has been entered into your systems. This will avoid the faxes ending up on your email systems' backup tapes unencrypted.

If you keep your faxes on the fax server, users should retrieve the faxes as soon as possible and then either print them out and delete them. The printed faxes should then be destroyed as soon as they are entered into your systems. Again, a compensating control document will need to be created for this solution. This will avoid faxes on your fax servers being backed up.

If, for some reason, your organization needs to retain the faxes, then the cardholder data should be masked on the faxes. If the faxes are printed out, have personnel use large permanent magic markers to mask the cardholder data on the fax. If you prefer to keep the faxes as electronic documents, then make sure they are TIF format documents and use MS Paint or similar program to electronically mask the cardholder data using the color BLACK and then save the electronic documents over the original. I have spoken to a number of computer forensics people, and this electronic masking does make the cardholder data unrecoverable as long as the color used is black. This too will require a compensating control document for this solution. Again, this solution should avoid cardholder data ending up on your backup tapes.

Remember, none of these solutions are perfect solutions, but they should allow you to continue to accept faxes and still be compliant. Your QSA will still have questions and you will have to allow the QSA to conduct some sample testing of your solution(s) to ensure that your procedures/policies are in place and being followed.