PCI SSC just published an updated version of the Special Interest Group information supplement Protecting Telephone-Based Payment Card Data. The new guidance explores the potential risks and security challenges associated with telephone-based card payment environments. We sit down with Jean-Louis LaMacchia, Standards Development Manager and Chair of the Protecting Telephone-Based Payment Card Data Special Interest Group to discuss the guidance.
Why is the Council issuing this information supplement?
This information supplement- Protecting Telephone-Based Payment Card Data- was published as the result of industry feedback received from PCI stakeholders that updated guidance on securely accepting telephone payments was needed. Since the publication of the original document in 2011, the marketplace for telephone-based payment card solutions has changed from a risk, legal/regulatory, and technology aspect.
With EMV Chip technology securing card-present transactions, criminals are increasingly looking to exploit card-not-present channels such as mail order/telephone order and e-commerce. Because telephone-based payments now represent an area of opportunity for fraud, entities need to properly evaluate and protect their telephone-based payment environments.
Regulations and laws have also evolved to protect consumers. These changes include an increase in recorded customer conversations, which may result in unnecessary storage of payment card data information. In general, no payment card data should ever be stored unless necessary to meet the needs of the business.
Telephone environments often use technologies and solutions not found in other types of environments, such as voice-masking technologies. Additionally, traditional analogue-based telephony systems are being phased out by many organizations and replaced by Voice over Internet Protocol (VoIP) technology, and entities need to understand the impact of this evolution.
What is the main audience for this paper and how can they use it to accept telephone payments securely?
The audience for this guidance includes entities with telephone payment environments of all types and sizes, providers of telephony services, acquirers, and Qualified Security Assessors (QSAs).
The updated guidance provides considerations to help organizations reduce the risks associated with telephone-based payments. The document explores common risks associated with telephone payment environments and considers how PCI DSS requirements could apply to different scenarios. Common examples of technologies used in telephone-based card payment environments are identified, together with their potential risks and implementation considerations.
Additionally, the document provides examples and guidance to assist entities with identifying the demarcation points between telephone environments, telephone carriers, and service providers, and how responsibilities may be shared between these different stakeholders.
What is the new content included in the new guidance? How is it different than previous guidance?
As well as updating and expanding on the guidance provided in the 2011 information supplement, this updated guidance takes a deeper dive into the people, processes and technology considerations for securing telephone-based payment environments. The document also explores considerations for how PCI DSS scope may be affected by different technology implementations, and the lines of demarcation between different entities and service providers.
How will this paper help merchants with their PCI Data Security Standard (DSS) efforts?
This guidance will help merchants with telephone-based payment card environments understand the complexities of their environment, including the impact that different technologies and implementations may have. For example, many merchants using VoIP in their telephone environment may not be aware of the impact this may have to their scope and the methods used to secure payment card data.
Additionally, technologies are often implemented for the purpose of reducing PCI DSS scope without sufficient understanding of the impact to the payment environment. The implementation of such technologies needs to be carefully evaluated to determine the resultant impact to the security and scope of a particular environment.
As well as needing to understand the different technologies and implementation options, merchants accepting telephone-based payments will often share responsibilities for securing payment card data with a number of service providers. The guidance helps merchants understand what to look for in order to identify the demarcation points between the different environments. This in turn will help merchants and their service providers understand their respective responsibilities for securing payment card data.
Are there some best practices to securely accepting telephone payments over the phone?
The recommendations and best practices provided in the guidance are focused on people, process and technology. Some of these include:
People: One of the best ways to mitigate that risk is to create and maintain a culture of security within the organization. Roles should be clearly defined and assigned based on need to know, to ensure that the minimum required number of personnel have access to account data. Particular attention must also be given to home-based workers. Entities should evaluate the additional risks associated with processing account data in unsecured locations and implement controls accordingly.
Process: Organizations should implement processes to support their security objectives and reduce opportunities for fraud. For example, to minimize the opportunities for unauthorized capture of account data in written or electronic form, an organization may consider implementing a policy that excludes materials and devices that could be used to record data from the telephone environment. Additionally, the physical telephone payment environment should be effectively monitored and access controlled.
Technology: Wherever possible, solutions that minimize exposure of personnel to account data should be considered. To prevent unauthorized access to account data, technologies should be secured and checked regularly for viruses or other malware as well as for signs of physical tampering—for example, the addition of a keyboard-logging device. Home-based and remote workers should always use multi-factor authentication when connecting to the telephone environment or to any systems which processes account data.
This paper was created by a Council Special Interest Group. Can you talk a little bit about this program?
Special Interest Groups (SIGs) are community-driven initiatives focusing on challenges related to PCI Security Standards. SIGs promote the collaboration between industry representatives, subject matter experts, the Council and the Payment Brands to allow the development of practical payment security resources.
Protecting Telephone-Based Payment Card Data was selected by the PCI Participating Organizations as one of the key areas to be addressed via the SIG this year. In addition to Council and Payment Brands representatives, this SIG included 65 participants representing 14 QSA Companies and 36 Participating Organizations. The blend of experience and knowledge of the SIG participants made it possible to produce guidance relevant and useful to the industry. Visit the Special Interest Group page to learn more about how to lend your expertise to future SIG projects