PCI DSS becomes effective January 1, 2011. Are you ready?

December 16, 2010 8 Comments

PCI, what is it, how do we support it with RightFax? I’ve seen customers, internal and external; ask this question several times over the last couple months.

Well, it could be an acronym for the Precast Concrete Institute, but in this context it’s not (unless maybe they are a customer of ours). It could be the Peripheral Component Interconnect standard for local bus connectivity, but in this case it’s not (though this is relevant for RightFax due to the Fax Boards we use).

Instead, PCI is the Payment Card Industry (think debit and credit cards) and we are getting asked about this due to the Payment Card Industry Data Security Standard (PCI DSS). In October of this year (2010) the PCI Security Standards Council, a global, open industry standards body for this topic, released version 2.0 of the PCI DSS which becomes effective January 1, 2011.

Why is this relevant to RightFax you say? Well, as it happens, PCI DSS applies to companies that process and store sensitive payment card information such as the primary account number, cardholder name, expiration date and service code. Many companies that process and store this type of data are using fax for at least some part of this. When these customers are using RightFax for part of this business process the fax images stored by the RightFax server may contain this sensitive payment card information and fall under the requirements for storage under PCI DSS.

How do we comply with this requirement? Well, in one case, since the requirement for the customer was to get the fax images into an encrypted storage location we engaged our professional services team to develop a solution using the Open Text Document Server, Alchemy Edition to store the faxes in encrypted format using the Alchemy Database Encryption Module. This would meet the storage requirements in the PCI DSS guidelines and still provide employee access to the faxes via an Alchemy client.

If you are in the process of assessing your annual PCI compliance, or needing to understand better how to ensure Open RightFax be compliant with the new PCI DSS v2.0 standard (effective January 1st 2011); please consult with Open Text Professional Services as soon as possible. Our consultants will work with you to understand your specific business needs and compliance requirements in relation to your RightFax implementation. This includes the option of extending your RightFax system with our Document Server connector and Database Encryption Module. Have you run into a PCI implementation requirement? How did you handle it? For more information on PCI DSS and other payment card industry security standards go to https://www.pcisecuritystandards.org/ .

Be Sociable, Share!

Related posts:

  1. Open Text Becomes a Cisco Preferred Solution Developer for Fax Solutions
Compliance, Fax Server, RightFax
, , , , , ,

About Darius Rike

View all posts by Darius Rike

8 Responses to “PCI DSS becomes effective January 1, 2011. Are you ready?”

  1. Scott Riley December 17, 2010 at 9:17 pm

    We have seen PCI compliance requests come up a few times, and in general, the preferred method of compliance besides Roles Based Access is actual image encryption for the transactions themselves. The current version of the standard is V2.0 released on 26/10/2010. PCI DSS v2.0 must be adopted by all organizations with payment card “data” by 1st January 2011, and from 1st January 2012 all assessments must be under version 2.0 of the standard. What is interesting is the terminology “control objectives” in the specification current spec, and in part mostly concerned with the transmission and storage of credit card information. However, this has a very limited connection to fax transmissions and is mostly concerned with POS, live IVR operations and hosted solutions.

    Thank you.
    Scott Riley (sriley@otgt.com)

  2. Scott Riley December 17, 2010 at 11:49 pm

    Does RightFax have a roadmap with regards to additional features complimentary to PCI 2.0 Compliance? Roles based Access is a good first measure, and auto-archiving with Alchemy is a great solution for encryption, but will transactions/images in the system eventually be encrypted, and what are your thoughts about fax images relative to actual credit card “data” in a database?

    Thank you.

    Scott Riley
    http://www.allaboutfoip.com

  3. Geoffrey Anderson December 20, 2010 at 5:19 pm

    Scott,
    As you note above, much of the emphasis (and indeed the high publicity data breaches) come from careless implementations of card processing information, and increasingly back end integration in e-commerce sites. While the faxed information (still a very popular vehicle for transmitting payment card information) is less vulnerable, it is not a perfect solution.

    I am currently in the process of assembling the mid term product roadmap, and increased security across the board is high on the priority, including two methods to obfuscate access to fax images and add encryption of said images.

    It is safe to say that we will enhance security on several fronts, and thus eliminate any concerns about fax image and data integrity from PCI DSS audits.

    Glad to hear from you!

    Geoff
    Product Manager, RightFax

  4. Jonathan Sze December 20, 2010 at 7:01 pm

    Scott,

    Indeed, auto-archiving with Alchemy will be good current option. One of our customers (in response to PCI compliance requests) is in the process of implementing an Alchemy solution, where faxes are periodically imported into Alchemy (every 10-15 minutes), and promptly be removed from their transactional fax environment. When using the Alchemy Database Encryption Module everything in the data store is encrypted (from the images to the metadata). Transmission of documents from server to client is also secured and encrypted, including use of Alchemy Web when hosted via SSL.

    This is the quickest and most direct solution to ensure this particular aspect of PCI compliance can be satisfactorily met.

    Thanks for your thoughts and suggestions, Scott.

    Regards,
    Jonathan
    Director of Solutions, North America

  5. Shane Wade January 31, 2011 at 6:36 pm

    I am failing to see how these options address the need to log and report on when CC information is viewed and by whom. How does this solution address these needs.

  6. Chris Hodges February 9, 2011 at 5:34 pm

    Shane, Both RightFax and Alchemy keep an audit log. The RightFax history (audit log) contains a record of transmission data as well as if the fax is viewed, forwarded, routed, etc and by whom. When the fax is archived into Alchemy the RightFax history is also archived with the fax. From this point Alchemy’s audit log takes over recording all events that happen to the fax and by which user, such as printing, viewing, annotating, etc. This provides a complete audit log for the fax from the time it is created/received through its entire lifecycle.

    Thanks for a great question,

    Chris Hodges
    Solutions Consultant
    OpenText

  7. Franklin June 21, 2011 at 5:52 am

    @Chris Hodges, Do you know where in the DB this information is kept?

  8. Chris Hodges June 30, 2011 at 6:49 am

    @Franklin, The Alchemy database would contain all metadata that is stored with the fax and the actually fax image would be stored in an Alchemy data container. When the encryption module is used both the Alchemy database and Alchemy data containers are both encrypted. As for the location on disk, the database and containers would be stored on any windows accessible drive or share.

    I hope this has answered your question, please let me know if you need more information,

    Chris Hodges
    Solution Consultant
    Open Text