PCI DSS compliance
Some users - such as banks, credit card companies, hotels and others, are required to follow the PCI guidelines in their communications as they are sending credit card data. Customers who require additional security on their account -- regardless of the content in their faxes, can use the PCI compliant service as well.
To use our PCI-compliant service requires your users to be set up on a different sub-system at InterFAX. In order to enable PCI compliance for a user, simply contact our team and request to change your user service. Once that is completed, you will need to apply the following measures:
Stop using email-to-fax - sending credit card data via email is not PCI compliant and you will not be able to use this feature in a PCI user in InterFAX.
Integrate the PCI endpoint - if you are currently using the InterFAX API, you will need to change the API endpoint to the separate endpoint for the PCI fax API. Note: some of the method names in the PCI fax API are different from the regular API.
HIPAA and other types of compliance
Some users - such as US healthcare entities who are required to abide by HIPAA guidelines, and financial institutions worldwide - have enhanced privacy requirements from messaging providers, such as InterFAX.
While Interfax does not fall into any of the HIPAA "covered entity" categories, as potential Business Associate we have implemented several privacy-enhancing features and procedures, and suggest that you apply the following measures:
Use TLS or PKI to send your message - We enable TLS-secured communication to our Web Service servers via https://ws.interfax.net, and public-key encryption of email messages, so that potentially patient-identifying information can be submitted securely for faxing.
Use the 'delete fax after completion' feature - This setting may be selected through your account sending preferences. It is intended to keep sensitive information on our servers no longer than is necessary to send a fax or to announce its failure (several minutes). When set, images of faxes sent through the service, as well as temporary files, will immediately be deleted from our servers upon completion.
Don't place patient-identifying, or otherwise confidential, information into any data fields - Make sure that confidential information is only present in the body of your outgoing fax. All other parts of a transaction are retained indefinitely for billing purposes, so don't insert confidential information anywhere except in the fax itself.