PCI SSC updates guidance for phone-based payments

Updated PCI Security Standards Council (PCI SSC) guidance, published Nov. 28, 2018, addresses the increasingly complex landscape of accepting payments by phone. Spearheaded by a PCI SSC Special Interest Group of call center and technology experts, Protecting Telephone-based Payment Card Data outlines best practices for mitigating fraud by removing sensitive data from scope.

Ben Rafferty, global solutions director at Semafone and Special Interest Group member, said the council last issued call center guidance in 2011, and the landscape has evolved significantly in recent years. The new guidance pertains to a new set of risks posed by Voice over Internet Protocol (VoIP), softphones and chatbots, he said, noting that these emerging technologies are potential targets for card-not-present fraud.

"Because protecting payment card data within contacts centers is the core of Semafone's business, we invested our time to share our expertise for the new guidance," Rafferty said. "Drawing from our experience descoping enterprise contact centers around the globe, we hope to provide clarity on securing these critical payment channels."

Simplifying call center compliance

Recommended scope reduction techniques include masking technologies that make payment card data indecipherable to call center agents or advanced routing schemes that send card data directly to processors. These techniques have been shown to simplify compliance, safeguard data and build customer trust, experts noted.

Following are additional areas, identified by the council, in need of scope reduction:

• Call recordings: Recorded conversations that contain cardholder data and sensitive authentication data must be accessible only to authorized managers and securely deleted.

• Pause and resume: Properly implemented Pause and Resume solutions can take call recordings and storage systems out of scope but are only as effective as the individual agents who implement them, experts have noted. Updated guidelines require supervising manual systems and testing automated systems.

• Third-party service providers: Guidelines specify when a telecommunications provider is in or out of PCI DSS scope, requiring third-party providers with more than a "communications link" to have PCI DSS compliance responsibilities.

• VoIP, softphones and encryption: VoIP and softphones create opportunities for "scope creep," due to their connections to the cardholder data environment. Contact centers must segment their data and telephony networks to remain compliant.

• Session initiation protocol redirection: These guidelines map responsibilities and scoping of telephony architecture to support the merchant and QSA community.

Telephony, network segmentation

Michael Simpson, security analyst at SecurityMetrics, said phone-based payments are widely used by call centers, universities and fundraisers. These companies should not be storing cardholder data and sensitive authentication data and CVV codes; merchants that accept credit card payments over the phone need to implement solutions that stop recording when data is entered, he noted.

"Unfortunately, any time you have human intervention, you'll make mistakes," he said. "Systems designed to pause when sensitive data is transmitted may still contain sensitive data because the agents forget to use the feature."

Simpson went on to say that merchants must submit annual risk assessments to their acquiring banks to get buy-off on storing sensitive data. However, not all large call centers are merchants; some are just service providers, he stated. In these cases, service providers should ask their merchant bank and merchant service provider for a copy of their annual risk assessment to make sure their storage methods are approved and compliant, he added.

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.