PCI Compliance

The Payment Card Industry Data Security Standard (known as PCI DSS) is the security standard that the payment card industry imposes on merchants and service providers that process, store, and transmit credit card holder data. Phaxio is a PCI DSS-certified Level 1 Service Provider. If you need your service to be PCI compliant then Phaxio can help but you will need to follow the guidelines below.

To achieve PCI Compliance while using Phaxio services, prior to sending any faxes containing cardholder data, users must:

  1. Disable storage by unchecking both “Store sent fax files on Phaxio server?” and “Store received fax files on Phaxio Server?” checkboxes found in your Fax Settings. This will prevent long term storage of any of your transmitted documents on Phaxio’s servers.
  2. Enable Two-Factor Authentication in your user profile.
  3. Use HTTPS for all webhook URLs you provide to us.
  4. Let us know that you want to be PCI compliant by emailing us at compliance@phaxio.com with the userID of your account.
  5. Use the latest version of the API for the most up-to-date security features.
  6. Rotate your API keys on a regular basis.

What we already do for you

  1. Our secure API URL (https://api.phaxio.com) enforces TLS 1.2.
  2. Your faxes are not stored (when the boxes in Storage Preference are unchecked). This means that Phaxio cannot view, alter, delete or otherwise tamper with your files.
  3. Callbacks are logged so that you know whether or not you received confirmation that a fax was sent or received and at what time the transmission occurred.
  4. Phaxio is hosted on Amazon’s AWS which has achieved ISO 27001 certification and has successfully completed multiple SOC 2 Type II audits. You can read more about their security precautions here.