PCI-DSS compliance

ExtraFax Cloud Service is powered by Upland InterFAX. InterFAX is certified as a Level 1 PCI DSS-compliant service provider. Dedicated to offering highly secure fax services that meet the world's most stringent privacy and security regulations, ExtraFax Cloud is committed to helping clients address PCI DSS by ensuring that our services fully comply with the standard.

What is PCI DSS?

The PCI Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security. These include a framework of specifications, tools, measurements and support resources to help organizations ensure the safe handling of cardholder information through every step of the payment process. The framework's keystone is the PCI Data Security Standard (PCI DSS), a multifaceted security standard for developing a robust payment-card data-security process including prevention, detection and appropriate reaction to security incidents.

In security terms, PCI DSS compliance means that businesses adhere to the standard's requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. In operational terms, it means that businesses play a role in ensuring that customer payment-card data are kept safe throughout every transaction, while both businesses and customers enjoy the confidence of being protected against data breaches.

When does PCI DSS Apply?

PCI DSS applies wherever account data is stored, processed or transmitted. Account data consist of a range of cardholder and sensitive authentication information including:

Cardholder Data

  • Primary account number (PAN)
  • Cardholder name
  • Expiration date
  • Security Code

Sensitive Authentication Data

  • Full magnetic stripe data or equivalent data on a chip
  • PINs/PIN blocks

Do Other Laws and Regulations Apply to PCI DSS?

PCI DSS represents a minimum set of control objectives that may be enhanced by local, regional and sector laws and regulations. Additionally, legislation or regulatory requirements may require specific protection of personally identifiable information or other data elements (e.g. cardholder name), or define an entity’s disclosure practices related to consumer information. Examples include legislation related to consumer data protection, privacy, identity theft and data security. PCI DSS does not supersede local or regional laws, government regulations or other legal requirements.

Who Needs to Comply with PCI DSS?

PCI DSS is vital for all merchants that accept credit cards, online or offline. Any ExtraFax Cloud customer sending faxes that include full credit-card numbers (i.e. payment-card data) needs to comply with PCI DSS.

The standard applies to businesses of all sizes – from the world's largest corporations to small Internet stores. The size of the business determines the specific compliance requirements that must be met. Enforcement of merchant compliance and non-compliance penalties are managed by individual payment brands and not by the PCI Security Standards Council.

ExtraFax Cloud and PCI DSS

ExtraFax Cloud is fully committed to complying with PCI DSS regulations and ensuring that our products are PCI DSS-compliant. Should you desire further information or clarification regarding any PCI DSS related issue involving ExtraFax Cloud, please Contact us.

How does PCI DSS Apply to ExtraFax Cloud?

PCI DSS applies to ExtraFax Cloud in two ways:

Merchant processing – when processing and storing client credit-card details.

Fax handling – when faxes passing through ExtraFax Cloud systems include credit-card data. ExtraFax Cloud typically acts as a passive conduit for fax content passing through our systems, however, we can also function as a PCI Level 1 service provider, in which case we actively secure information passing through our networks.

ExtraFax Cloud Confidentiality and Security Measures

ExtraFax Cloud provides clients with diverse ways to improve their fax security. We offer SSL and PKI inputs in the service, as well as "Delete Fax after Completion," a feature ensuring that fax images are not stored on our systems any longer than necessary for faxing.

With our Outbound PCI fax service, faxes are sent through a separate, hardened subsystem that has undergone rigorous compliance testing. This means that customers remain PCI DSS-compliant when outsourcing their faxing via ExtraFax Cloud.