By Wayne Murphy, Senior Security Consultant, Sec-1 Ltd.
This week saw the eagerly awaited update to the “Protecting Telephone-based Payment Card Data Guidance” by the Payment Card Industry Security Standards Council (PCI SSC). The update has been a few years in the making, with the PCI SSC and industry stakeholders providing a draft version that was distributed to the assessor community in early 2017. The PCI SSC received an overwhelming number of comments in response to the draft, so felt a special interest group (SIG) would be best placed to collaborate on an updated version of this guidance.
I was fortunate enough to have the opportunity to lend my expertise and serve as a contributing member of this SIG, along with Semafone’s Global Solutions Director, Ben Rafferty. Below I’ll offer an overview of some of the biggest changes announced with this updated guidance.
The Largest Updates for Protecting Telephone-based Payments
Given that the last version of this guidance came out in 2011, the PCI SSC and the SIG went through a comprehensive overhaul, and thus produced many updates to address the evolution of technologies and processes that have occurred throughout the years.
Although VoIP (Voice over IP) has been around since the 1970’s, it wasn’t properly developed until around 1995. The initial guidance was released in 2011, many years after VoIP usage within the marketplace. As a result, VoIP has often been misunderstood within the PCI DSS (Payment Card Industry Data Security Standard) community, resulting in it either being missed when scoping a PCI DSS environment or simply assessed incorrectly, even though the PCI SSC have released an FAQ on this subject.
Scoping the cardholder data environment (CDE), meaning identifying what people, process, or technology PCI DSS requirements apply to and therefore need to be included within a PCI DSS assessment, can often be difficult. This update includes a lot of information on how VoIP can impact the scope of a CDE to dispel any misconceptions merchants, service providers, consultants, and even some Qualified Security Assessors (QSAs) might have when VoIP is used to transmit cardholder data verbally within a telephone payment channel (e.g. contact centres).
As a QSA, it is sometimes awkward going into a client environment where previous PCI professionals have failed to properly identify VoIP as being in scope. This situation often ends up being problematic for the client because it either means they are unable to pass an audit, or they need to carry out some expensive and costly work to attain PCI DSS compliance due to previous misinformation.
As this new guidance highlights, VoIP is very much in scope for PCI DSS. This will not only ensure telephone payment channels are properly scoped, but it should also help to further secure these channels. Additionally, the guidance will help to promote a consistent message by PCI DSS professionals when working with payment channels handling VoIP communications.
New Technologies & Processes
The guidance provides a variety of scenarios to help the reader understand scoping concerns when dealing with telephone payment channels, ranging from simple to much more complex phone payment operations. Risks associated with the people, process, and technology aspects of both simple and complex payment channels are also discussed, along with guidance on how organisations can address some of these risks.
In addition to highlighting the scoping implications of VoIP, the guidance also introduces some newer technologies that are becoming more popular within organisations. These features include:
- DTMF (dual-tone multi-frequency) Masking
- IVR (Interactive Voice Response)
- SIP Redirection
- Webchat technologies
- Software Phones (soft phones)
- Voice and Screen Recordings
Techniques for Reducing Scope
Scope reduction techniques are discussed within the guidance, including not only the DTMF masking, IVR, and SIP redirection technologies mentioned above, but also pause-and-resume call recording solutions, outsourcing to a specialist third-party service provider, and physical segregation. This guidance highlights the potential pitfalls with the two types of pause-and-resume technologies, for example manual pause-and-resume may see agents forgetting to pause the call recording and for automatic pause-and-resume, changes to the payment steps can see the pausing fail to work.
The role of the telco (telecommunications) provider is discussed in length within the updated guidance. This was included since a lot of telcos are incorrectly being deemed out-of-scope for PCI DSS assessment activities. Internet Service Providers (ISPs) and telcos are quite rightly deemed out of scope when providing just the communication link; i.e. internet provision, ISDN lines and SIP trunks. Where this has started to change is where services providers are now providing additional services which either have visibility of cardholder data or can impact upon the security of the cardholder data. This can depend on where the service provider is offering services such as; call recording, call recording storage, call analytics, and hosted/cloud VoIP services. Since these services are potentially exposed to the cardholder data, the service provider is very much in scope for PCI DSS assessment activities.
The Difficulties of Attaining PCI DSS Compliant Telephone Payments
My experience as a QSA has often found that the telephone payment channel is extremely difficult to attain PCI DSS compliance for. This is often due to factors such as:
- The use of single business systems used by the whole organisation makes it near impossible to de-scope said systems. This keeps the whole environment in scope for PCI DSS assessment activities
- VoIP telephone systems are becoming more ‘connected’ by introducing additional features (instant messaging, video conferencing, SMS, fax, IVR, etc…) above traditional telephony
- Limitations in older payment solutions which can be difficult for organisations to simply replace
- Retrofitting newly deployed solutions to take PCI DSS into account. Since PCI DSS is overlooked when dealing with telephony, new systems are often deployed without adequate due diligence around the standards
Due to these often-complex issues, more and more organisations are moving towards technologies which are designed to help de-scope the telephone payments such as DTMF masking, and solutions which are designed to handle the cardholder data on behalf of the merchant. That said, I have come across deployments which have been poorly designed and implemented therefore not quite achieving this goal.
It is extremely important to understand the intricacies of how these services work, and the flow of cardholder data through these solutions, to understand if the organisation’s systems are exposed to cardholder data. This can not only have an impact upon the size of the PCI DSS scope, but also can have an impact on call recording.
Implemented correctly, these types of services can massively reduce the scope of PCI DSS assessment activities, along with the applicable self-assessment questionnaire (SAQ) requirement which can often become aligned to SAQ A for the telephone payment channel.
As for the future of PCI DSS compliant telephone payments, the new guidelines make several much-needed clarifications, which should lead to less confusion and more standardisation around securing card data over voice channels.
About Wayne Murphy
Mr. Murphy is a Senior Security Consultant at Sec-1 Ltd., and has extensive experience in IT and information security, with a career spanning over two decades. He obtained his Information Security Systems Professional (CISSP) certification in 2007 and his IT Security roles have included penetration testing, management, security engineer and QSA. Wayne has recently made steps to focus his work on PCI engagements, which is where he feels his expertise can add the most value to Sec-1 and his clients.