By Ben Rafferty, Chief Innovation Officer
“The working environment in which telephone-based transactions are received provides numerous opportunities for compromising payment card data.”
That’s a simple statement pulled from the early paragraphs of the recently updated Guidance on Securing Telephone-based Payment Card Data, released by the Payment Card Industry Security Standards Council (PCI SSC). However, as you comb through the document, you’ll see that the outline of specific risks and guidance for abating those risks are anything but simple.
This is especially true when we look at the complexity of gaining and maintaining compliance for the modern contact center. Security professionals understand that the reality of securing this increasingly vital transaction channel is much more complex than companies pushing simple “pause-and-resume” solutions make it out to be.
For this reason, we wanted to highlight some of the areas where the new guidance addresses this complexity, particularly in how it relates to pause-and-resume call recording solutions.
Call Recordings & Cardholder Data
In addition to the Payment Card Industry Data Security Standard (PCI DSS), contact centers often find themselves subject to many industry and governmental regulations regarding the way they manage call recordings. For example, depending on the industry, many organizations may be required to maintain full call recordings for regulatory or compliance purposes. If the organization also takes payments over the phone, this could present issues for PCI DSS compliance, which requires merchants to keep cardholder data (CHD) off call recordings.
The new guidance recognizes this quandary and specifically addresses it in section 6.6 titled Additional Considerations. It states, “Entities with these obligations [to record calls] will need to implement appropriate processes and technologies to secure all account data that is received verbally by call agents and systems during processing and remove all SAD upon completion of the transaction.”
When it comes to methods for keeping SAD off recordings, it goes on to add, “Entities need to understand how different technology deployments impact the data captured in call and screen recordings, and the controls that will be consequently needed to protect CHD and remove SAD from the recordings. For example:
- Recordings will capture clear-text CHD and SAD if spoken by the cardholder or captured through DTMF tones, and where the entire conversation is recorded.
- Recordings will not capture CHD or SAD if DTMF masking/suppression is implemented prior to the data reaching recording systems (when DTMF is the only acceptance channel).
- Recordings may capture CHD or SAD if pause-and-resume is used, depending on the accuracy of the pause-and-resume process.”
For organizations employing pause-and-resume call recording solutions, this can introduce many unanticipated headaches when scoping their contact centers for PCI DSS compliance.
The Shortcomings of Pause-and-Resume Call Recording Methods
With the PCI SSC recognizing that the accuracy of pause-and-resume methods may vary and could lead to SAD making its way onto call recordings, the new guidance goes into detail about the additional controls that merchants must implement if they choose to use this method.
Because this method relies on call center agents manually stopping the recording at the point of transaction, and then restarting the recording once the transaction is complete, there is a risk that the agent may forget to pause the recording at the right time. This is problematic because if the agent forgets to pause it before the start of the transaction, SAD may inadvertently be recorded and stored on the recording. On the other hand, if the agent does pause the recording at the right time, but forgets to restart it, the remainder of the conversation will not be recorded, potentially breaching industry or regional regulations.
To mitigate these issues, the guidance states that “Manual pause-and-resume implementations require constant monitoring and verification that the manual processes are being followed by all agents for every transaction. As well as monitoring agent processes, the entity will need to regularly confirm that the call recorder and call storage do not contain any CHD or SAD. This can be achieved by supervisors regularly listening to recorded conversations.”
Automated pause-and-resume systems typically integrate with an agent’s desktop application that is used during the transaction process. The pausing of the call could be triggered when the agent starts the payment process within the application, and the recording restarted once the transaction is complete. While this relieves the agent of the burden of remembering to start and stop the recording at the correct time, the effectiveness of the solution depends greatly on the integration with the payment application and with the agent performing the correct steps at the correct time. Additionally, if there is any way for the agent to circumvent the integrated process, then this solution could be rendered ineffective.
In section 5.2.6 titled Voice and Screen Recordings, the guidance discusses the precautions merchants must take while ensuring SAD is never stored. It states, “If a technology solution (e.g., pause-and-resume or stop-start) cannot block the audio or video from being stored, the sensitive authentication data (SAD) MUST BE DELETED from the recording as soon as the transaction is processed.” For many organizations, it may be unrealistic, if not impossible, to ensure that SAD is deleted immediately after the transaction is processed.
The guidance goes on to state, “Where pause-and-resume is used for call recordings, especially where initiated by the agent, it is recommended to verify that the call recordings do not contain CHD or SAD be undertaken on a regular basis, preferably weekly.” Merchants using pause-and-resume who do not already have a review process in place may find this requirement particularly time consuming, costly, and burdensome. To make matters even more difficult, now that the guidance explicitly states these controls must be in place, Qualified Security Assessors (QSAs) will be checking to make sure they have been properly implemented.
Pause-and-Resume and Scope Reduction
When looking at the contact center holistically, cardholder data could touch many areas beyond just the call recording. For example, if the customer is verbally giving their card information, this could bring into scope the agents themselves, the agent’s computer (because they would have to manually type in the PAN and SAD), the physical environment around the agent (because they could write down or record SAD), and even the CCTV system, which could inadvertently capture audio or video of the SAD. Pause-and-resume solutions only take the call recording out of scope for PCI DSS compliance, but leave everything else in scope. To further reduce scope, other solutions must be implemented.
In fact, the guidance states explicitly that “Entities should avoid solutions that leave agent environments in scope unless there is an unavoidable business requirement to do so.” Therefore, pause-and-resume solutions, which leave the majority of the agent environment in scope, are no longer a valid solution for major enterprises. The strategy for enterprise-level organizations should now be to include a DTMF masking solution for voice payments to remove the agent and their environment from scope fully.
To Reduce Scope and Achieve PCI DSS Compliance, Use DTMF Masking
The warnings, cautions and restrictions seem to go on and on. By comparison, the Council’s notes on Dual-Tone Multi-Frequency (DTMF) masking are presented much more simply. DTMF masking alleviates the need for extra and restrictive controls that you would need with pause-and-resume. The guidance notes that DTMF masking is one of the technologies “that can be used to reduce the risk to account data in the environment” and that it “has the potential to reduce the scope of the PCI DSS, devalue the account data and potentially ensure no CDE exists.”
In fact, managed and unmanaged dual-tone multi-frequency (DTMF) masking solutions, like Semafone’s Cardprotect, can reduce scope to the extent that only PCI DSS Requirements 3, 9 and 12 would be applicable to your scope.
Learn more about Cardprotect and how it can help reduce the scope of the cardholder data environment and ease PCI DSS compliance in your call or contact center.
You may view the PCI Security Standards Council’s Guidance for Protecting Telephone-based Payment Card Data here.