It’s been a few years in the making, but the long-awaited update to the “Protecting Telephone-based Payment Card Data Guidance” supplement has been released by the Payment Card Industry Security Standards Council (PCI SSC). The last version of the guidelines was released in 2011, very old considering the progress in communications, infrastructure and payment technology since then. There have been many updates in order to address this, along with dispelling some misconceptions about PCI scope.
The Payment Card Industry Data Security Standards (PCI DSS) has been around since 2004 to help organisations of all shapes and sizes transmit, store and process cardholder data in a way that is safe and secure. With new technologies developing every day since then, the PCI guidelines require continuous evaluation to persist in offering the appropriate levels of security.
In a LinkedIn article, John Greenwood, Director at Thought Leadership at Compliance3 said: “The guidance takes the opportunity to state why securing telephone-based data is worthy of our attention, and the answer we are given is ‘fraud’ and the measured shift in organised crime towards MOTO as the face to face and ecomm channels are secured.”
Taking this into consideration, there are few aspects of the updated guidelines that deserve highlighting:
VoIP Telephony Solutions
VoIP has come on leaps and bounds since it’s introduction in the 1970’s and its finalised development in 1995. Today, the technology now forms the primary telephony system in many organisations, especially Contact Centres, with features beyond traditional verbal communication such as instant messaging, video conferencing, SMS and more.
The guidelines update should dispel any misconceptions that merchants, service providers, consultants and even some QSA’s might have when VoIP is used when transmitting cardholder data, verbally or otherwise. It became apparent that some QSA’s were auditing clients and finding that other PCI professionals had failed to properly identify VoIP as being in-scope of PCI compliance.
The guidelines now state that VoIP is in fact in-scope of PCI DSS, providing details to assist organisations with their Self-Assessment Questionnaires (SAQs) or to better understand the expectations of a QSA. Ultimately, this should reduce the time and cost involved when assessing and auditing the scope of the Cardholder Data Environment (CDE).
The SSC previously released an FAQ in an attempt to address any of these issues, but ultimately determined that an official document was needed to appropriately determine the scope of VoIP.
Pause and Resume or Stop/Start Call Recording
Manual and automatic Pause and Resume (or stop/start call recording) has often been a difficult area to approach in terms of PCI as it generally misses the role of the agent or staff member involved in the process. When using pause and resume technology, the call recording and the organisations storage systems are taken out-of-scope, but it doesn’t stop PCI DSS being applicable to the agent or staff member. This includes their desktop environment or other systems on the telephone environment.
By highlighting the common pitfalls of manual or automatic call recording, the guide aims to segregate pause and resume as a separate technology entity. (Section 6.5, Page 36)
We cover many of the risks involved with Pause and Resume technology in this article
Taking the Agent Environment Out-of-Scope
An ideal solution for organisations and contact centres who want to stop their staff being exposed to sensitive card details, is to consider DTMF masking or suppression. When a customer enters their card details using their telephone keypad numbers, a unique tone is generated which could potentially be recognised, recorded or deciphered. DTMF masking or suppression technology replaces them with flat tones or removes them all together.
The technology wasn’t mentioned in the previous update, but the new guidelines outline a number of off-premise and on-premise DTMF scoping scenarios for organisations to consider, illustrating how an agent environment can be taken out of PCI scope (Diagram 7, Section 126.96.36.199 Page 34 & Diagram 8, Section 188.8.131.52, Page 35)
The document goes further to recommend that if an agent uses a desktop or dashboard when taking card payments, it should have any propagated card details replaced or masked with an asterisk(*).
“A properly designed and deployed DTMF-masking solution can take not only the telephony environment, but also the agent environment and CRM system out of scope. Entities should avoid solutions that leave agent environments in scope unless there is an unavoidable business requirement to do so.”
The guidelines support Key IVR’s best practice approach for taking card payments over the phone. DTMF suppressed keypad tones and a user-friendly PCI compliant agent dashboard are two fundamental features of our Agent Assisted Payment services. This allows an agent to stay in full conversation with a customer throughout the call and follow the transaction progress on screen, without hearing or seeing the full card number.
Telco and ISPs
When considering their scope for PCI, some telecommunications providers (telcos) were incorrectly being deemed out-of-scope. As demand for more complex transmissions of messages through telcos has diversified over the years, especially in terms of data capturing, call analytics and call recording, their role when discussing PCI has changed.
The guide (Section 2.4, Page 13), now outlines that Internet Service Providers (ISPs) and telcos can still be deemed out-of-scope when solely providing the communication link for an organisation (E.g. ISDN line or SIP trunk), but if they provide services that can potentially expose sensitive Cardholder Data (CHD), then they are considered in-scope.
Classification of Technologies
John Greenwood at Compliance 3 highlights another important aspect of the guidelines, that introduces a new “classification of technologies that have the capability of being deployed in a way that prevents spoken account data entering the environment and can support a no Card Data Environment approach”.
John notes that the guidelines extend the approach from previous drafts beyond “attended” where an agent and customer remain in constant voice contact during a payment transaction and “unattended” where an automated payment IVR or web payment service is used. With two additional types of technology delivery options of “telephony” and “digital”, the result is four separate classifications to help assist organisations when investigating scope-reduction services.
In terms of customer experience or contact type, technologies can be classified as being one of the following types:
Attended – Where the entity remains in direct voice contact with its customer for the entire duration of the telephone payment transaction.
Unattended – Where the entity does not remain in direct voice contact with its customer for the entire duration of the telephone payment transaction, and all or part of telephone payment component of the call is handled by a different technology path E.G., IVR or some type of redirection to a web payment process.
In terms of technology dependency on the entity’s telephone infrastructure, technologies can be further classified as either:
Telephony based – Where the technology application is wholly dependent on the entity’s telephony infrastructure, effectively using voice or DTMF tones, through the use of the telephone keypad, to facilitate the transaction.
Digital based – Where the technology application sends a message or email to the customer with a link to a PCI DSS compliant web-based payment page where the customer is invited to input their PAN and SAD using a connected device such as smartphone, tablet, laptop, or desktop computer.
Section 6.2, Page 29 – Protecting Telephone-based Payment Card Data Guidance
We welcome the update to the guidelines as they provide clarity on some often misunderstood areas of PCI scope. This supports our approach when the discussing cardholder data environment (CDE) with organisations both large and small, highlighting the increasing importance of protecting their customer’s sensitive payment details.
The clear diagrams are invaluable at defining scope across a number of scenarios, helping organisations alike save time and money when looking to achieve PCI compliance.
If you have any questions about the “Protecting Telephone-based Payment Card Data Guidance” updates or want to discuss achieving PCI compliance with our scope-reduction payment solutions, get in touch today by emailing [email protected] or calling +44 (0) 1302 513 000.