In March 2011, the PCI SSC released the initial version of the “Protecting Telephone-Based Payments Card Data” Information Supplement as a guide to help assessors assess environments where cardholder data was stored, processed, and/or transmitted over the telephone. It was a pivotal guidance document at the time that set the stage for a broader focus on telephony technologies. As of November 2018, that time has finally arrived. The revised document provides a comprehensive dive into various telephony architectures (specifically VoIP, ISDN, and PSTN) and related people and processes that are required to be considered within scope for PCI DSS compliance.
Who is impacted by the change? How so?
- Potential for PCI Scope Expansion
- Entities such as merchants that use telephony as a card acceptance payment channel.
- Entities such as merchants, customer service centers, call centers, or contact centers that outsource or are considered as outsourcing telephony payment acceptance to a third-party service provider.
- Service providers that accept payments over the telephone or manage transactions over the telephone on behalf of merchants or other entities.
- Technology vendors providing, maintaining, and/or managing telephone payment systems.
- Providers of telephony services (e.g., interactive voice response [IVR] or Dual-Tone, Multi-Frequency [DTMF] masking/suppressing).
- Acquirers, payment service providers, and payment gateways that support relevant entities.
- Potential for Additional QSA/ISA Testing Required
- Qualified Security Assessors (QSAs) and Internal Security Assessors (ISAs) that support any of the above entities.
- Card issuers that support the secure distribution of payment cards to cardholders.
What is the impact of the change to my organization’s telephony-based payment environment?
- Defining segmentation/demarcation points for the telephony environment is critical. The convergence of voice and data networks can have the effect of bringing the entity’s wider infrastructure into PCI DSS scope.
- Achieving network segmentation when using a single VoIP phone system that links in-scope and out-of-scope systems will be difficult.
- Telephony infrastructure responsible for call routing, handling, and management are required to be in scope for the entity’s (or service provider’s) PCI compliance efforts, as they are handling customer calls with card data.
- When VoIP is used for transmissions of payment account data, the entity’s systems and networks used for those transmissions are in scope for all applicable controls.
- Carriers providing only access to public networks are generally considered out of scope for PCI DSS.
- Particular attention should be given to home workers, as controls that would commonly be implemented in a “formal call center” don’t traditionally exist.
- Entities should consider technology solutions where personnel do not have to hear or enter account data into the systems (i.e., DTMF masking)
- Use of softphones to capture payment card data brings the workstation and the network into PCI DSS scope.
- Organizations that have legitimate constraint to retain SAD in recordings should discuss and obtain approval from their acquiring and/or payment brand.
- In instances where pause-and-resume technology exists (especially agent initiated), regular checks (weekly recommended) should be implemented.
Some of these changes may seem dramatic to some entities, but it’s important to keep in mind that this release is an information supplement and not a change to the PCI DSS standard itself. The clarifications in the supplement are intended to bring clarity to how changing technologies should be understood relative to the PCI DSS. Coalfire was one of the QSA companies involved in helping develop this new information supplement; if you have questions on how this document might affect your environment, we are here to partner with you in understanding this new guidance.