Updated guidance for payments over the phone closes PCI DSS loopholes
Guildford, UK – 29 November, 2018 – Semafone, the leading provider of data security and compliance solutions for over-the-phone payments, has called on contact centres to pay heed to changes to the Payment Card Industry Security Standards Council (PCI SSC) guidance for protecting telephone-based payment card data. Updated for the first time since 2011, the guidance was released today and clarifies a number of points relating to compliance with the Payment Card Industry Data Security Standard (PCI DSS).
“Since the guidance was last updated in 2011, new technologies and payment channels are increasing the scope of the cardholder data environment and creating some uncertainty & compliance challenges for contact centres,” said Ben Rafferty, Semafone’s global solutions director and a contributing member of the Special Interest Group (SIG) formed by the PCI SSC to update the guidance. “Drawing on our experience of descoping enterprise contact centres around the globe, we aim to provide advice for anyone securing these critical payment channels.”
The key points of the new guidance, highlighted by Semafone, are as follows:
- Keep softphones separate. The emergence of VoIP and softphones, which are often connected to the desktop environment processing payments, can result in the entire system becoming “in scope” of PCI DSS and subject to its stringent controls. As a result, it is strongly recommended that contact centres fully segment their data and telephony networks.
- Any cardholder data captured in call recordings brings more checks than ever. Qualified Security Assessors (QSAs) now have clear guidelines regarding call recordings and the capture of sensitive card details. Both manual and automated “pause and resume” systems, whereby recording is briefly stopped, are deemed to run the risk of accidentally capturing these details. If a contact centre is using either of these solutions, QSAs can demand extensive evidence of measures to protect sensitive data. Multi-factor authentication controls need to be added to call recording solutions, as well as to storage and search tools, and QSAs are empowered to conduct invasive auditing to ensure that additional controls have been put in place effectively.
- Third-party service providers are in scope if they provide more than a dial tone. The new guidance specifies that any call service, from a “transfer” to a “call recording”, that is provided by a third party, will bring that provider into scope of the PCI DSS. The only service that is exempt is a simple voice communications connection, or “dial tone”.
- Devices that control Session Initiation Protocol(SIP) Redirection are in PCI DSS scope. The new guidance recognises that redirecting a call to a secured line, just for the payment process itself, exposes it to a potential risk of interception or diversion by hackers. As a result, all such devices, on or offsite, controlling redirection are vulnerable and therefore fall into the scope of PCI DSS and are subject to the full range of controls.
- Removing the card data from the contact centre is the only secure solution. Lastly, the updated guidance recommends scope reduction techniques and technologies, including managed and unmanaged dual-tone multi-frequency (DTMF) masking solutions, such as Semafone’s Cardprotect. These solutions entirely remove cardholder data and other personal information from the contact centre environment. Callers enter their card numbers via their telephone keypad, remaining in full communication with the agent throughout. The DTMF key tones are masked with flat bleeps, so they cannot be identified by their sound. This prevents any sensitive card information form coming into contact with the agent, with call recording technology and with any other desktop applications. The card data is sent directly to the payment processor, bypassing the contact centre completely.
“When working with clients looking to attain PCI DSS compliance, the telephone payment channel is the most challenging to address for several reasons,” said Wayne Murphy, a QSA with Sec-1 and contributing member of the SIG. “Contact centre agents often need access to single business systems, which are accessible by all departments within an organisation, bringing most of the business into scope for PCI DSS assessment activities. Plus, integration with VoIP systems make it nearly impossible to simplify the current payment channel to reduce scope.”
As Jean-Louis LaMacchia, Standards Development Manager and Chair of the Protecting Telephone-Based Payment Card Data SIG, stated in a blog, “Wherever possible, solutions that minimize exposure of personnel to account data should be considered. To prevent unauthorized access to account data, technologies should be secured and checked regularly for viruses or other malware as well as for signs of physical tampering—for example, the addition of a keyboard-logging device. Home-based and remote workers should always use multi-factor authentication when connecting to the telephone environment or to any systems which processes account data.”
Rafferty concluded, “I urge all contact centre professionals to take the time to read these new guidelines and determine how they can abide by Semafone’s mantra, ‘No one can hack the data you don’t hold.’”
To learn more, check out Semafone’s blog here.