PCI Compliance

The Payment Card Industry Data Security Standard (known as PCI DSS) is the security standard that the payment card industry imposes on merchants and service providers that process, store, and transmit credit card holder data. Phaxio is a Level 1 PCI DSS 3.2 certified service provider. If you need your service to be PCI compliant then Phaxio can help but you will need to follow the guidelines below.

To achieve PCI Compliance while using Phaxio services, prior to sending any faxes containing cardholder data, users must:

  1. Disable storage by unchecking both “Store sent fax files on Phaxio server?” and “Store received fax files on Phaxio Server?” checkboxes found in your Fax Settings. This will prevent long term storage of any of your transmitted documents on Phaxio’s servers.
  2. Utilize TLS v1.2 when interacting with the Phaxio API.
  3. Enable Two-Factor Authentication in your user profile.
  4. Use https for all webhooks you provide.
  5. Let us know that you want to be PCI compliant by email us at compliance@phaxio.com with the userID of your account.

What we already do for you

  1. Your faxes are not stored (when the boxes in Storage Preference are unchecked). This means that Phaxio cannot view, alter, delete or otherwise tamper with your files.
  2. Callbacks are logged so that you know whether or not you received confirmation that a fax was sent or received and at what time the transmission occurred.
  3. Phaxio is hosted on Amazon’s AWS which has achieved ISO 27001 certification and has successfully completed multiple SAS70 Type II audits. You can read more about their security precautions here.