PCI DSS compliance for businesses that handle card data near office MFPs
The Payment Card Industry Data Security Standard applies to every business that stores, processes, or transmits cardholder data. Office MFPs typically sit outside the direct PCI DSS scope because they do not handle card data as part of their primary function. The complication arises when card data passes through the device incidentally: a customer hands over a card to be photocopied, a transaction receipt gets scanned to a folder, a payment authorisation form goes through the fax. Each touchpoint potentially brings the MFP into PCI DSS scope, with significant compliance implications for the business. The framework below covers how to keep MFPs out of scope where possible, and how to bring them properly into scope where the workflow requires it.
The scope question is the most important question
PCI DSS applies only to systems within the cardholder data environment (CDE). A business handling card data wants the CDE as narrow as possible, since every system in scope requires the full set of PCI controls. Office MFPs typically benefit from being kept out of the CDE through procedural controls that prevent card data from reaching them.
If card data does reach an MFP, the device falls into scope and the business has two options: extend full PCI DSS controls to the MFP, or change the workflow so card data no longer touches the device. The second option is usually preferable since it preserves the MFP's exclusion from the costly CDE.
How card data reaches office MFPs unintentionally
Photocopying customer payment cards
Some businesses retain physical card copies as part of order verification or authorisation. The practice was common in retail and hotel industries through the 2000s but has fallen out of favour as PCI DSS enforcement has tightened. A copier used to make card copies holds the card image data in its hard drive after each copy.
Scanning transaction receipts to electronic folders
Receipts from payment terminals often include partial card information (last four digits) and the transaction amount. PCI DSS permits storage of masked PANs and the transaction details, so scanned receipts containing only this information are usually acceptable. Receipts that include the full PAN are not.
Faxing payment authorisation forms
Some industries (hospitality, professional services) historically faxed authorisation forms containing card details to vendors or customers. The practice is high risk under PCI DSS because the fax travels through the phone network in cleartext and the MFP retains the image data.
Printing reports containing cardholder data
Some legacy systems generate reports that include card numbers in the output. Printing these reports through an office MFP places the card data on the device temporarily. The exposure is brief but counts toward PCI scope.
If an MFP must remain in PCI scope
When workflow constraints prevent removing card data from the MFP, the device must satisfy the full PCI DSS requirements. The major requirements as they apply to an MFP in scope include the network controls, the access controls, the encryption requirements, and the documentation obligations. Each requirement maps to specific MFP configuration steps that the business needs to apply.
Network segmentation
The MFP must sit on a network segment isolated from the broader office network, with firewall rules limiting traffic to and from the device.
Change default passwords and disable defaults
Default admin passwords and default community strings must be changed. Unused services must be disabled.
Protect stored cardholder data
Any cardholder data stored on the MFP must be encrypted using strong cryptography. PCI DSS specifically accepts AES 256.
Encrypt transmission of cardholder data
Cardholder data transmitted across open or public networks must be encrypted.
Restrict access and identify users
Access to systems handling cardholder data must be restricted to authorised users with assigned unique IDs.
Track and monitor access
All access to cardholder data and network resources must be logged.
Regularly test security systems
Security controls must be tested through vulnerability scanning and penetration testing.
Maintain a security policy
A formal security policy must address all PCI DSS requirements and be maintained current.
The practical recommendation
Keep MFPs out of PCI scope wherever possible
The PCI DSS controls listed above represent substantial ongoing work and ongoing compliance cost. The economically efficient approach is to redesign workflows so card data does not reach the MFP at all, keeping the device outside the CDE.
The redesign typically involves replacing fax based authorisation with PCI compliant payment gateways, masking card numbers in reports and receipts, and explicitly prohibiting photocopy of customer cards. Each change moves the card data handling to dedicated PCI scoped systems and removes the corresponding scope from the office MFP fleet.
The merchant level question
PCI DSS applies different levels of validation requirements based on the merchant's transaction volume. Level 1 merchants (over 6 million transactions per year) need annual on site assessment by a Qualified Security Assessor. Levels 2 through 4 use self assessment questionnaires of varying length. Small businesses processing under 20,000 transactions per year fall into Level 4, with the simplest validation requirements.
The validation level affects how the office demonstrates MFP compliance. Level 1 merchants need the QSA's review of MFP controls if the device is in scope. Level 4 merchants document the controls through the self assessment questionnaire. In both cases, keeping the MFP out of scope simplifies the validation work substantially.
Continue with the compliance cluster
This piece covers PCI DSS for office MFPs. The preceding pieces handle HIPAA, GDPR, and Spanish LOPDGDD: HIPAA compliant copier setup, GDPR compliance, and LOPDGDD for Spain. The next pieces handle ISO 27001 and SOC 2: ISO 27001 for printer fleets and SOC 2 audits.