This week saw the eagerly awaited update to the “ Protecting Telephone-based Payment Card Data Guidance ” by the Payment Card Industry Security Standards Council (PCI SSC) . The update has been a few years in the making, with the PCI SSC and industry stakeholders providing a draft version that was distributed to the assessor community in early 2017. The PCI SSC received an overwhelming number of comments in response to the draft, so felt a special interest group (SIG) would be best placed to collaborate on an updated version of this guidance.
I was fortunate enough to have the opportunity to lend my expertise and serve as a contributing member of this SIG, along with Semafone’s Global Solutions Director, Ben Rafferty. Below I’ll offer an overview of some of the biggest changes announced with this updated guidance.The Largest Updates for Protecting Telephone-based Payments
Given that the last version of this guidance came out in 2011, the PCI SSC and the SIG went through a comprehensive overhaul, and thus produced many updates to address the evolution of technologies and processes that have occurred throughout the years.VoIP
Although VoIP (Voice over IP) has been around since the 1970’s, it wasn’t properly developed until around 1995. The initial guidance was released in 2011, many years after VoIP usage within the marketplace. As a result, VoIP has often been misunderstood within the PCI DSS (Payment Card Industry Data Security Standard) community, resulting in it either being missed when scoping a PCI DSS environment or simply assessed incorrectly, even though the PCI SSC has released an FAQ on this subject.
Scoping the cardholder data environment (CDE) , meaning identifying what people, process, or technology PCI DSS requirements apply to and therefore need to be included within a PCI DSS assessment, can often be difficult. This update includes a lot of information on how VoIP can impact the scope of a CDE to dispel any misconceptions merchants, service providers, consultants, and even some Qualified Security Assessors (QSAs) might have when VoIP is used to transmit cardholder data verbally within a telephone payment channel (e.g. contact centers).
As a QSA, it is sometimes awkward going into a client environment where previous PCI professionals have failed to properly identify VoIP as being in scope. This situation often ends up being problematic for the client because it either means they are unable to pass an audit, or they need to carry out some expensive and costly work to attain PCI DSS compliance due to previous misinformation.
As this new guidance highlights, VoIP is very much in scope for PCI DSS. This will not only ensure telephone payment channels are properly scoped, but it should also help to further secure these channels. Additionally, the guidance will help to promote a consistent message by PCI DSS professionals when working with payment channels handling VoIP communications.
New Technologies & Processes
The guidance provides a variety of scenarios to help the reader understand scoping concerns when dealing with telephone payment channels, ranging from simple to much more complex phone payment operations. Risks associated with the people, process, and technology aspects of both simple and complex payment channels are also discussed, along with guidance on how organisations can address some of these risks.
In addition to highlighting the scoping implications of VoIP, the guidance also introduces some newer technologies that are becoming more popular within organisations. These features include:DTMF (dual-tone multi-frequency) Masking IVR (Interactive Voice Response) SIP Redirection Webchat technologies Software Phones (soft phones) Voice and Screen Recordings Techniques for Reducing Scope
Scope reduction techniques are discussed within the guidance, including not only the DTMF masking, IVR, and SIP redirection technologies mentioned above, but also pause-and-resume call recording solutions , outsourcing to a specialist third-party service provider, and physical segregation. This guidance highlights the potential pitfalls with the two types of pause-and-resume technologies, for example manual pause-and-resume may see agents forgetting to pause the call recording and for automatic pause-and-resume, changes to the payment steps can see the pausing fail to work.
The role of the telco (telecommunications) provider is discussed in length within the updated guidance. This was included since a lot of telecommunications companies are incorrectly being deemed out-of-scope for PCI DSS assessment activities. Internet Service Providers (ISPs) and telelcommunications are quite rightly deemed out of scope when providing just the communication link; i.e. internet provision, ISDN lines and SIP trunks. Where this has started to change is where services providers are now providing additional services which either have visibility of cardholder data or can impact upon the security of the cardholder data. This can depend on where the service provider is offering services such as; call recording, call recording storing, call analytics, and hosted/cloud VoIP services. Since these services are potentially exposed to the cardholder data, the service provider is very much in scope for PCI DSS assessment activities.
The Difficulties of Attaining PCI DSS Compliant Telephone Payments
My experience as a QSA has often found that the telephone payment channel is extremely difficult to attain PCI DSS compliance for. This is often due to factors such as:The use of single business systems used by the whole organization makes it near impossible to de-scope said systems. This keeps the whole environment in scope for PCI DSS assessment activities VoIP telephone systems are becoming more ‘connected’ by introducing additional features (instant messaging, video conferencing, SMS, fax, IVR, etc…) above traditional telephony Limitations in older payment solutions which can be difficult for organizations to simply replace Retrofitting newly deployed solutions to take PCI DSS into account. Since PCI DSS is overlooked when dealing with telephony, new systems are often deployed without adequate due diligence around the standards Due to these often-complex issues, more and more organizations are moving towards technologies which are designed to help de-scope the telephone payments such as