Document Comparison
protecting_telephone-based_payment_card_data.pdf
→
Protecting_Telephone_Based_Payment_Card_Data_v3-0_nov_2018.pdf
5% similar
12 → 70
Pages
3339 → 21162
Words
92
Content Changes
From Revision History
- March 2011 2.0 Initial release.
Content Changes
92 content changes. 67 administrative changes (dates, page numbers) hidden.
Added
p. 1
Version: 3.0 Date: November 2018 Author: Protecting Telephone-Based Payments Special Interest Group
Added
p. 2
March 2011 2.0 Initial release.
November 2018 3.0 Updated by PCI Special Interest Group.
November 2018 3.0 Updated by PCI Special Interest Group.
Added
p. 5
1. Introduction The Payment Card Industry Data Security Standard (PCI DSS) defines security controls to protect payment card data throughout the transaction lifecycle. PCI DSS requirements apply across all payment-acceptance channels, including mail order/telephone order (MOTO).
This document focuses exclusively on securing telephone-based payment card data including an entity’s transition to voice-over-IP (VoIP) based communications. This is particularly relevant for entities in locations where established national carriers have announced transition plans to move away from Integrated Services Digital Networks (ISDN) and public switched telephone networks (PSTN) toward the exclusive provision of VoIP services. Where possible, the document uses simple language and diagrams to explain the risks and vulnerabilities associated with telephone-based payment environments and provides guidance on how to secure them irrespective of the size or capabilities of the telephony environment. This document does not provide guidance on the types of technology that should be used to meet an entity’s business …
This document focuses exclusively on securing telephone-based payment card data including an entity’s transition to voice-over-IP (VoIP) based communications. This is particularly relevant for entities in locations where established national carriers have announced transition plans to move away from Integrated Services Digital Networks (ISDN) and public switched telephone networks (PSTN) toward the exclusive provision of VoIP services. Where possible, the document uses simple language and diagrams to explain the risks and vulnerabilities associated with telephone-based payment environments and provides guidance on how to secure them irrespective of the size or capabilities of the telephony environment. This document does not provide guidance on the types of technology that should be used to meet an entity’s business …
Added
p. 5
The intended audience includes, but is not limited to:
Entities, such as merchants, that use telephony as a card-acceptance payment channel.
Entities such as merchants, customer-service centers, call centers or contact centers that outsource or are considering outsourcing telephony payment acceptance to a third-party service provider.
Entities, such as merchants, that use telephony as a card-acceptance payment channel.
Entities such as merchants, customer-service centers, call centers or contact centers that outsource or are considering outsourcing telephony payment acceptance to a third-party service provider.
Added
p. 6
Technology vendors providing, maintaining, and/or managing telephone payment systems.
Providers of telephony servicese.g., interactive voice response (IVR) or Dual-Tone, Multi-Frequency (DTMF) masking/suppressing.
Qualified Security Assessors (QSA) and Internal Security Assessors (ISA) that support these entities.
Acquirers, payment service providers, and payment gateways that support relevant entities.
Card issuers that support the secure distribution of payment cards to cardholders.
Providers of telephony servicese.g., interactive voice response (IVR) or Dual-Tone, Multi-Frequency (DTMF) masking/suppressing.
Qualified Security Assessors (QSA) and Internal Security Assessors (ISA) that support these entities.
Acquirers, payment service providers, and payment gateways that support relevant entities.
Card issuers that support the secure distribution of payment cards to cardholders.
Added
p. 6
Considers why securing telephone-based account data is important.
Provides clear statements on PCI DSS scope in both simple and complex telephony environments. This approach is intended to support the full range of environments, telephony systems, and supporting technologies that entities use to accept telephone-based payments.
Provides guidance on documenting account data flows for a telephone-based cardholder data environment (CDE).
Considers applicability of PCI DSS requirements to simple and complex telephone environments.
Provides guidance on using third-party service providers for supporting telephone-based payments.
Provides guidance on using methods that may help minimize the amount of account data in each type of telephone.
Table 1
• Guidance appendices Appendix Description A Glossary to help the reader through the range of telephony-related terms and acronyms used in the document.
B Quick Guide to using this guidance.
C Process chart allowing the reader to identify their telephone environment and scope-reduction technologies they may want to consider.
D High-level …
Provides clear statements on PCI DSS scope in both simple and complex telephony environments. This approach is intended to support the full range of environments, telephony systems, and supporting technologies that entities use to accept telephone-based payments.
Provides guidance on documenting account data flows for a telephone-based cardholder data environment (CDE).
Considers applicability of PCI DSS requirements to simple and complex telephone environments.
Provides guidance on using third-party service providers for supporting telephone-based payments.
Provides guidance on using methods that may help minimize the amount of account data in each type of telephone.
Table 1
• Guidance appendices Appendix Description A Glossary to help the reader through the range of telephony-related terms and acronyms used in the document.
B Quick Guide to using this guidance.
C Process chart allowing the reader to identify their telephone environment and scope-reduction technologies they may want to consider.
D High-level …
Added
p. 7
Telephony-specific terms are available in the document’s glossary (Appendix A).
In addition to the telephony-related terms and acronyms detailed in Appendix A, the following PCI DSS terms and acronyms are used throughout this document:
Table 2
• Payment card data Account Data Cardholder Data (CHD) includes: Sensitive Authentication Data (SAD) includes:
Primary Account Number (PAN) Cardholder Name Expiration Date Service Code Full track data (magnetic-stripe data or equivalent on a chip) Card verification code: CAV2/CVC2/CVV2/CID PINs/PIN blocks Information Supplement
In addition to the telephony-related terms and acronyms detailed in Appendix A, the following PCI DSS terms and acronyms are used throughout this document:
Table 2
• Payment card data Account Data Cardholder Data (CHD) includes: Sensitive Authentication Data (SAD) includes:
Primary Account Number (PAN) Cardholder Name Expiration Date Service Code Full track data (magnetic-stripe data or equivalent on a chip) Card verification code: CAV2/CVC2/CVV2/CID PINs/PIN blocks Information Supplement
Added
p. 8
The working environment in which telephone-based transactions are received provides numerous opportunities for compromising payment card data both externally by criminals gaining access to systems and software and internally via personnel with malicious intent handling the calls. Personnel receiving account data through a telephone handset or via a computer screen could use a variety of techniques to acquire and record this data, from simply writing the details into a book or mobile device to utilizing key-logging or recording equipment. In addition, audio signaling can be captured in transit, and it is trivial for an attacker to convert audio into queryable data.
Risk-mitigation technologies such as EMV chip cards have helped to significantly reduce card-present fraud rates. As a result, criminals are increasingly looking to exploit CNP channels such as mail order/telephone order and e-commerce. Telephone-based payments represent an area of opportunity for fraudas this method of payment exposes account data in …
Risk-mitigation technologies such as EMV chip cards have helped to significantly reduce card-present fraud rates. As a result, criminals are increasingly looking to exploit CNP channels such as mail order/telephone order and e-commerce. Telephone-based payments represent an area of opportunity for fraudas this method of payment exposes account data in …
Added
p. 8
PCI DSS applies to all system components included in or connected to the cardholder data environment (CDE). The CDE is comprised of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data.1 Accepting spoken account data over the telephone puts personnel, the technology used, and the infrastructure to which that technology is connected into scope of PCI DSS.
Added
p. 9
Scenario 1
• Traditional telephone line Generally speaking, entities are not considered responsible for the transmission of card data over an external traditional telephone line (also described as “plain old telephone service,” or POTS), as the risk of man-in-the middle attacks on data transmissions over these lines is considered low.
Diagram 1 below shows a simple telephone environment where account data is spoken over a traditional POTS telephone line.
• Traditional telephone line Generally speaking, entities are not considered responsible for the transmission of card data over an external traditional telephone line (also described as “plain old telephone service,” or POTS), as the risk of man-in-the middle attacks on data transmissions over these lines is considered low.
Diagram 1 below shows a simple telephone environment where account data is spoken over a traditional POTS telephone line.
Added
p. 10
PCI DSS. However, should the entity use an answering machine to capture customer account data or the person answering the call writes down the account data, then the collection of account data in the scenario would be considered “storage,” and the entity’s processes and environment would be considered in scope for PCI DSS.
If the payment terminal illustrated in Diagram 1 connects to the Acquirer/PSP via Internet Protocol (IP), this connection may also be considered in the scope of PCI DSS. See Appendix F, Section F.3, “Simple Telephone System
• Further Examples,” for more information.
Scenario 2
• Call transferred to a call center service provider Diagram 2 below shows another example of simple telephone environment, this one using a call center service provider. In this example, the entity does not collect any payment or account data, but transfers the call to a call center service provider to handle the payment.
If the payment terminal illustrated in Diagram 1 connects to the Acquirer/PSP via Internet Protocol (IP), this connection may also be considered in the scope of PCI DSS. See Appendix F, Section F.3, “Simple Telephone System
• Further Examples,” for more information.
Scenario 2
• Call transferred to a call center service provider Diagram 2 below shows another example of simple telephone environment, this one using a call center service provider. In this example, the entity does not collect any payment or account data, but transfers the call to a call center service provider to handle the payment.
Added
p. 11
Diagram 2: Simple telephone environment with call center service provider Where account data is received by the entity via POTS then transmitted over an IP-based or public network to an acquirer or PSP or manually entered or stored on an entity’s system, PCI DSS requirements for the protection of customer account data would also apply.
Where VoIP is used for transmissions of payment card account data between a cardholder and an entity, the entity’s systems and networks used for those transmissions are in scope. Securing the VoIP transmission outside of the entity’s infrastructure is not considered within the entity’s scope, as the entity cannot control the methods used by the cardholder to make and receive phone calls. This applies regardless of whether the transmissions are initiated by the entity or the cardholder. For further Information Supplement
Where VoIP is used for transmissions of payment card account data between a cardholder and an entity, the entity’s systems and networks used for those transmissions are in scope. Securing the VoIP transmission outside of the entity’s infrastructure is not considered within the entity’s scope, as the entity cannot control the methods used by the cardholder to make and receive phone calls. This applies regardless of whether the transmissions are initiated by the entity or the cardholder. For further Information Supplement
Added
p. 12
The use cases illustrated in Diagrams 3, 4, and 5 offer general examples of how PCI DSS scope applies to complex telephone environments.
Added
p. 13
Table 3
• Call flow prior to CHD being present Step 1: The customer makes a call to the entity.
Step 2: The call traverses the carrier network, the telephone switch answers and directs the call to an available agent.
Step 3: The entity’s voice and data network transmit the call to the agent.
Step 4: The agent answers the call and interacts with the customer.
Step 5: The agent enters data into the customer database.
Step 6: The event is reported.
Step 7: The call is recorded, and the recording is stored.
• Call flow prior to CHD being present Step 1: The customer makes a call to the entity.
Step 2: The call traverses the carrier network, the telephone switch answers and directs the call to an available agent.
Step 3: The entity’s voice and data network transmit the call to the agent.
Step 4: The agent answers the call and interacts with the customer.
Step 5: The agent enters data into the customer database.
Step 6: The event is reported.
Step 7: The call is recorded, and the recording is stored.
Added
p. 14
Systems, devices, or networks within other areas of the business (shown in the diagrams as Finance/HR/Other) as well as any third parties connected to the systems handling CHD may also be in scope for PCI DSS. Carriers providing only access to public networks2 are generally considered outside the scope of PCI DSS, hence the carrier network in this example represented in green.
Diagram 4: Telephone environment and call flow where CHD is captured and stored 2 Carrier networks may be in scope for other types of services. Refer to definition of Service Provider in the online Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations and Acronyms (https://www.pcisecuritystandards.org/pci_security/glossary#S) Information Supplement
Table 4
• Call flow where CHD is captured and stored Step 1: The customer is connected to the agent and call recording has started, as part of the dialogue when asked they provide their account data to the agent, via the carrier …
Diagram 4: Telephone environment and call flow where CHD is captured and stored 2 Carrier networks may be in scope for other types of services. Refer to definition of Service Provider in the online Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations and Acronyms (https://www.pcisecuritystandards.org/pci_security/glossary#S) Information Supplement
Table 4
• Call flow where CHD is captured and stored Step 1: The customer is connected to the agent and call recording has started, as part of the dialogue when asked they provide their account data to the agent, via the carrier …
Added
p. 16
Note: Each business entity is responsible for determining the extent of its CDE and PCI DSS scope of its environment.
Added
p. 17
[A] business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. If an entity provides a service that involves only the provision of public network
•such as a telecommunications company providing just the communication link
•the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).
Table 5 provides some example scenarios involving the use of third-party service providers, how the use of those service providers may impact an entity’s PCI DSS scope, and some additional factors that should be taken into consideration:
Table 5
• Scope for service providers Entity …
•such as a telecommunications company providing just the communication link
•the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).
Table 5 provides some example scenarios involving the use of third-party service providers, how the use of those service providers may impact an entity’s PCI DSS scope, and some additional factors that should be taken into consideration:
Table 5
• Scope for service providers Entity …
Added
p. 18
If at any point an entity stores, processes, or transmits account data within its environment, the entity’s systems and networks through which the account data is stored, processed, or transmitted fall within the scope of the PCI DSS, and applicable PCI DSS Requirements must be met irrespective of the type of network the entity has deployed. For example, a VoIP network transmitting account data would be subject to the same
PCI DSS requirements as would an internal IP-based network that transmits account data. Additionally, PCI DSS Requirement 4.1 would apply wherever account data is transmitted over a shared or public VoIP service.
Where “voice” traffic from the public telecommunications network (i.e., carrier) terminates on equipment owned and operated by the entity or a service provider and is then sent (regardless of whether it is analog, digital, or VoIP transmission) to a third-party service provider, the demarcation point is the equipment owned by …
PCI DSS requirements as would an internal IP-based network that transmits account data. Additionally, PCI DSS Requirement 4.1 would apply wherever account data is transmitted over a shared or public VoIP service.
Where “voice” traffic from the public telecommunications network (i.e., carrier) terminates on equipment owned and operated by the entity or a service provider and is then sent (regardless of whether it is analog, digital, or VoIP transmission) to a third-party service provider, the demarcation point is the equipment owned by …
Added
p. 19
The process used by the entity or a service provider to demonstrate compliance with PCI DSS, including for controls that rely on a third-party service provider, is discussed in detail in the Information Supplement: Third- Party Security Assurance.4 2.5 Systems and Networks Mistakenly Excluded from Scope Telephony environments are only as secure as their weakest link. Risks may not be considered when systems or networks are wrongly excluded from PCI DSS scope; this is often the result of two scenarios:
Improperly secured access from a third party or an application residing outside the CDE:
Components that are often improperly secured include networks and systems not directly involved in the payment process, but that have connectivity to payment systems or the telephony environment where payment card data is stored, processed, or transmitted. Examples include corporate intranets, finance systems, human resource (HR) and other personnel-management systems, shared network directory serverspossibly the entire corporate …
Improperly secured access from a third party or an application residing outside the CDE:
Components that are often improperly secured include networks and systems not directly involved in the payment process, but that have connectivity to payment systems or the telephony environment where payment card data is stored, processed, or transmitted. Examples include corporate intranets, finance systems, human resource (HR) and other personnel-management systems, shared network directory serverspossibly the entire corporate …
Added
p. 21
Insider threat occurs when a person with legitimate access misuses his privileges and compromises the operations and security of a company… when an insider who has rightful access to the data is involved, it can often go undetected. There has been a steady rise in the number of cases of insiders’ threat related incidents in recent years.5 3.1 Risks and Guidance in Simple Telephone Environments The telephone environment, whether large or small, provides significant opportunities for payment card data to be compromised from outside the organization by criminals gaining access to systems and software.
Compromises can also originate inside the organization from personnel who handle the calls or have access to systems and processes that support telephone-based payments.
One of the best ways to mitigate that risk is to create and maintain a culture of security within the organization.
In terms of people, the following should be highlighted:
All personnel having access to …
Compromises can also originate inside the organization from personnel who handle the calls or have access to systems and processes that support telephone-based payments.
One of the best ways to mitigate that risk is to create and maintain a culture of security within the organization.
In terms of people, the following should be highlighted:
All personnel having access to …
Added
p. 22
Where such personnel have access to account data or systems in the CDE, the following measures should be in place. Note that this is not a comprehensive list and that many of the best practices in this document reflect
PCI DSS requirements. How these requirements apply will need to be determined for each organization.
In addition to the controls described in Section 3.1, the following controls are further examples of measures to limit the exposure of sensitive data to unauthorized parties:
Clearly define roles and assign all system access based on need to know, to ensure that the minimum required number of personnel have access to account data. For example, assign roles so that payment card information can be entered by a sales agent, but other staff such as customer service representatives have access only to the masked PAN.
Screen potential personnel prior to being hired (as per PCI DSS Requirement 12.7) …
PCI DSS requirements. How these requirements apply will need to be determined for each organization.
In addition to the controls described in Section 3.1, the following controls are further examples of measures to limit the exposure of sensitive data to unauthorized parties:
Clearly define roles and assign all system access based on need to know, to ensure that the minimum required number of personnel have access to account data. For example, assign roles so that payment card information can be entered by a sales agent, but other staff such as customer service representatives have access only to the masked PAN.
Screen potential personnel prior to being hired (as per PCI DSS Requirement 12.7) …
Added
p. 23
Processes should also be put in place to prevent the use of other transportable technology devices where account data is processed through systemse.g., memory sticks, Bluetooth recorders, and/or key loggers.
These processes are not explicitly required by PCI DSS but can be implemented as part of the entity’s security policy to fulfil the requirement to protect payment card data.
In all cases where calls may be intentionally recorded, entities should ensure that sensitive authentication data is not stored after authorization, as made clear in the foregoing paragraphs.
These processes are not explicitly required by PCI DSS but can be implemented as part of the entity’s security policy to fulfil the requirement to protect payment card data.
In all cases where calls may be intentionally recorded, entities should ensure that sensitive authentication data is not stored after authorization, as made clear in the foregoing paragraphs.
Added
p. 24
To prevent unauthorized access by individuals with any malicious intention, policies and procedures should be defined to ensure that all personnelincluding onsite employees, home workers, and remote agentsare aware that any unauthorized copying, moving, sharing, or storing of payment card data is prohibited.
Additionally, the physical environment within which an office worker or home worker is taking card payments over the telephone should be effectively monitored and access controlled. Examples of required controls Ensure that at-home/remote workers use a multi-factor authentication process when connecting to the telephone environment or to any systems that process account data.
Restrict physical access to media containing payment card data, such as call or screen recordings, as well as networking/communications hardware.
Ensure only authorized personnel are allowed in business areas where telephony equipment and agent desktops are located. For company premises, this includes implementing procedures to clearly identify visitors and make sure all visitors are …
Additionally, the physical environment within which an office worker or home worker is taking card payments over the telephone should be effectively monitored and access controlled. Examples of required controls Ensure that at-home/remote workers use a multi-factor authentication process when connecting to the telephone environment or to any systems that process account data.
Restrict physical access to media containing payment card data, such as call or screen recordings, as well as networking/communications hardware.
Ensure only authorized personnel are allowed in business areas where telephony equipment and agent desktops are located. For company premises, this includes implementing procedures to clearly identify visitors and make sure all visitors are …
Added
p. 25
PCI SSC Prioritized Approach (document links available in Appendix G) helps stakeholders understand where and how they can act to reduce risk earlier in the validation process using a prioritized, milestone-based approach. For example, the first milestone is to remove sensitive authentication data and limit data retention.
By limiting exposure of payment data in your systems, you simplify scope and validation, reducing the chance of being a target for criminals.
By limiting exposure of payment data in your systems, you simplify scope and validation, reducing the chance of being a target for criminals.
Added
p. 25
Additionally, any customer database systems, third-party CRM applications, or order-processing systems into or through which account data is being processed, transmitted, or stored should be secured. Below, among other possible controls, examples of such controls include:
Ensure that at-home/remote workers use a multi-factor authentication process when connecting to the telephone environment or to any systems which process SAD/CHD.
For all personnel, prohibit unauthorized copying, moving, and storing of account data onto local hard drives and removable electronic media when accessing payment card data via remote-access technologies.
Ensure that the PAN, once entered into the system, is masked when displayed; no more than the first six and last four digits should be displayed. Note that individuals may view additional PAN digits when there is a legitimate business to do so•for example, if a supervisor needs to review the full details of a particular transaction. Any individuals not specifically authorized to view …
Ensure that at-home/remote workers use a multi-factor authentication process when connecting to the telephone environment or to any systems which process SAD/CHD.
For all personnel, prohibit unauthorized copying, moving, and storing of account data onto local hard drives and removable electronic media when accessing payment card data via remote-access technologies.
Ensure that the PAN, once entered into the system, is masked when displayed; no more than the first six and last four digits should be displayed. Note that individuals may view additional PAN digits when there is a legitimate business to do so•for example, if a supervisor needs to review the full details of a particular transaction. Any individuals not specifically authorized to view …
Added
p. 26
− Have the latest approved security patches installed.
− Are configured to prevent users from disabling security controls.
Ensure the PCI security training (Requirement 12.6.2) for home workers conducting card-not-present (CNP) transactions addresses their responsibility to maintain the physical security controls for their telephony, IT systems, and work environments.
− Are configured to prevent users from disabling security controls.
Ensure the PCI security training (Requirement 12.6.2) for home workers conducting card-not-present (CNP) transactions addresses their responsibility to maintain the physical security controls for their telephony, IT systems, and work environments.
Added
p. 26
It is important to note that a system is considered “in scope” regardless of the volume of payment information it handles. An essential activity for each business is therefore to evaluate the risks for its own telephone environment. The use of a telephone service provider to route voice traffic to the organization should be included in any risk assessment the entity may perform. Some of the typical risk areas associated with telephone-payment environments include:
IT networks and telephony systemse.g., switches, interactive voice response (IVR) systems, network directory services, DNS, DHCP Physical environment used by all personnel, be they agents, customer service representatives, and/or Voice and screen recordings Technologies or services used to reduce scope if they are not taken into the scope themselves 5.2.1 Securing IT Infrastructure One of the first areas of consideration is the internal IT infrastructure that supports the telephone calls and their associated …
IT networks and telephony systemse.g., switches, interactive voice response (IVR) systems, network directory services, DNS, DHCP Physical environment used by all personnel, be they agents, customer service representatives, and/or Voice and screen recordings Technologies or services used to reduce scope if they are not taken into the scope themselves 5.2.1 Securing IT Infrastructure One of the first areas of consideration is the internal IT infrastructure that supports the telephone calls and their associated …
Added
p. 27
Segment in-scope systems from other networkse.g., the “Finance/HR/Other” areas of the business shown in the telephone environment diagrams aboveto prevent unauthorized access to the network and CHD.
Disable network services that are not needed across all in scope system components•for example, IVR systems are often shipped with all network services enabled, some of which may be subject to security vulnerabilities that could allow unauthorized access to the system. Disabling network services that are not required for IVR functionality or for business purposes helps reduce the risk of vulnerability. Examples of common services that are often enabled by the vendor but may not be needed include Telnet, FTP, NTP, and send mail.
Use strong cryptography to protect any CHD that is storedfor example, in audio recordings or in a databaseor otherwise render the stored data unreadablefor example, via truncation or hashing.
Restrict access to call-recording and CRM data containing CHD …
Disable network services that are not needed across all in scope system components•for example, IVR systems are often shipped with all network services enabled, some of which may be subject to security vulnerabilities that could allow unauthorized access to the system. Disabling network services that are not required for IVR functionality or for business purposes helps reduce the risk of vulnerability. Examples of common services that are often enabled by the vendor but may not be needed include Telnet, FTP, NTP, and send mail.
Use strong cryptography to protect any CHD that is storedfor example, in audio recordings or in a databaseor otherwise render the stored data unreadablefor example, via truncation or hashing.
Restrict access to call-recording and CRM data containing CHD …
Added
p. 28
Please refer to Appendix E, “Further Considerations on VoIP,” for more information.
Added
p. 28
It is important to note that the use of such systems to capture payment card account data would bring the workstationand probably the network it is connected tointo PCI DSS scope.
For more information, refer to the Information Supplement, Guidance for PCI DSS Scoping and Network Segmentation, mentioned in Appendix G. This Guidance is intended to provide further understanding of scoping and segmentation principles as applicable to a PCI DSS environment.
For more information, refer to the Information Supplement, Guidance for PCI DSS Scoping and Network Segmentation, mentioned in Appendix G. This Guidance is intended to provide further understanding of scoping and segmentation principles as applicable to a PCI DSS environment.
Added
p. 28
Depending on how it is deployed and whether it transmits payment card account data, DTMF masking is one of the technologies that can be used to reduce the risk to account data in the environment.
Added
p. 29
Organizations should consider the use of technologies which prevent CHD entering the call recording, while allowing the full call to be recorded To ensure the security of any CHD within call recordings, the recording of a verbal transmission of CHD, or where DTMF tones are processed unaltered, must be correctly stored and secured in accordance with
PCI DSS requirements. Additionally, the capture and storage of screens or video recordings where CHD is visible must be equally secured.
Every possible effort must be made to eliminate SAD from the telephone environment. If an organization has a legitimate constraint that prevents it from removing SAD from its recordings, the organization should discuss this with its acquirer and/or payment brand. If SAD cannot be eliminated, it must be secured in a manner consistent with PCI DSS and must not be able to be queried Appendix D, “Call Recording Decision-making Process,” illustrates some high-level decision points …
PCI DSS requirements. Additionally, the capture and storage of screens or video recordings where CHD is visible must be equally secured.
Every possible effort must be made to eliminate SAD from the telephone environment. If an organization has a legitimate constraint that prevents it from removing SAD from its recordings, the organization should discuss this with its acquirer and/or payment brand. If SAD cannot be eliminated, it must be secured in a manner consistent with PCI DSS and must not be able to be queried Appendix D, “Call Recording Decision-making Process,” illustrates some high-level decision points …
Added
p. 31
PCI Data Security Standard
• High-Level Overview Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel In addition, an entity can reduce risk and reduce its …
• High-Level Overview Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel In addition, an entity can reduce risk and reduce its …
Added
p. 32
Whichever methods are used, the goal is to ensure that SAD is never stored after the transaction is authorized, and account data is secured and/or removed from systems and storage.
As a starting point, consider whether the organization should aim at excluding telephone-based card payment data entirely. This approach may be part of a structured business strategy to reduce risk by not accepting telephone payments. For organizations that receive very small volumes of telephone payments and perhaps already have a secure alternative payment channel•for example, a PCI DSS compliant e-commerce channel•this approach may provide a simple solution to mitigating a real business risk by avoiding the risk altogether.
For organizations committed to taking payments over the telephone, consideration should be given to techniques that minimize exposure of PAN and SAD to the telephone environment and balance that with user/customer experience requirements, with the object of significantly reducing the CDE or eliminating the …
As a starting point, consider whether the organization should aim at excluding telephone-based card payment data entirely. This approach may be part of a structured business strategy to reduce risk by not accepting telephone payments. For organizations that receive very small volumes of telephone payments and perhaps already have a secure alternative payment channel•for example, a PCI DSS compliant e-commerce channel•this approach may provide a simple solution to mitigating a real business risk by avoiding the risk altogether.
For organizations committed to taking payments over the telephone, consideration should be given to techniques that minimize exposure of PAN and SAD to the telephone environment and balance that with user/customer experience requirements, with the object of significantly reducing the CDE or eliminating the …
Added
p. 33
In terms of customer experience or contact type, technologies can be classified as being one of the following Attended
• Where the entity remains in direct voice contact with its customer for the entire duration of the telephone payment transaction.
Unattended
• Where the entity does not remain in direct voice contact with its customer for the entire duration of the telephone payment transaction, and all or part of telephone payment component of the call is handled by a different technology pathe.g., IVR or some type of redirection to a web payment process.
In terms of technology dependency on the entity’s telephone infrastructure, technologies can be further classified as either:
Telephony based
• Where the technology application is wholly dependent on the entity’s telephony infrastructure, effectively using voice or DTMF tones, through the use of the telephone keypad, to facilitate the transaction.
Digital based
• Where the technology application sends a message or email …
• Where the entity remains in direct voice contact with its customer for the entire duration of the telephone payment transaction.
Unattended
• Where the entity does not remain in direct voice contact with its customer for the entire duration of the telephone payment transaction, and all or part of telephone payment component of the call is handled by a different technology pathe.g., IVR or some type of redirection to a web payment process.
In terms of technology dependency on the entity’s telephone infrastructure, technologies can be further classified as either:
Telephony based
• Where the technology application is wholly dependent on the entity’s telephony infrastructure, effectively using voice or DTMF tones, through the use of the telephone keypad, to facilitate the transaction.
Digital based
• Where the technology application sends a message or email …
Added
p. 33
A typical “transaction journey” for “attended” transactions might be:
When telephony-based technologies are deployed (pause-and-resume, see Section 6.5.1):
When telephony-based technologies are deployed (pause-and-resume, see Section 6.5.1):
Added
p. 34
3. The agent initiates the pause-and-resume system to temporarily halt the recording and informs the customer to provide their CHD and SAD verbally.
4. Using the desktop application, the agent enters the customer’s details.
5. The recording is resumed and the agent confirms this to the customer. The agent completes the transaction, supporting verbally as appropriate.
6. The agent hears all the CHD and SAD.
7. The agent then receives confirmation that the payment is authorized and communicates that, or any other outcome returned from the PSP, back to the customer.
6. The agent then receives confirmation that the payment is authorized and communicates that, or any other outcome returned from the PSP, back to the customer.
When telephony-based technologies are deployed (DTMF):
3. The agent initiates the DTMF masking (also known as “clamping”) application and informs the customer (to keep their data secure) to input their PAN and SAD using their telephone keypad.
4. Using the …
4. Using the desktop application, the agent enters the customer’s details.
5. The recording is resumed and the agent confirms this to the customer. The agent completes the transaction, supporting verbally as appropriate.
6. The agent hears all the CHD and SAD.
7. The agent then receives confirmation that the payment is authorized and communicates that, or any other outcome returned from the PSP, back to the customer.
6. The agent then receives confirmation that the payment is authorized and communicates that, or any other outcome returned from the PSP, back to the customer.
When telephony-based technologies are deployed (DTMF):
3. The agent initiates the DTMF masking (also known as “clamping”) application and informs the customer (to keep their data secure) to input their PAN and SAD using their telephone keypad.
4. Using the …
Added
p. 35
When digital technologies are deployed:
3. The agent informs and transfers the customer (to keep their data secure) to an automated call- handling system (or IVR).
4. The agent has the option to terminate the call whilst the customer progresses the transaction independently. The type and related scripting of the IVR system used will be different for each entity. Within the IVR journey the IVR then asks the customer to input their PAN and SAD using their telephone keypad.
5. The IVR application receives confirmation that the payment is authorized and communicates that, or any other outcome returned from the PSP, back to the customer. An option to return to the agent may be implemented.
3. The agent initiates the digital application and sends the customer a link to a secure internet payment system.
4. The customer validates the URL, confirms the transaction amount and delivery address, submits card account data into the payment …
3. The agent informs and transfers the customer (to keep their data secure) to an automated call- handling system (or IVR).
4. The agent has the option to terminate the call whilst the customer progresses the transaction independently. The type and related scripting of the IVR system used will be different for each entity. Within the IVR journey the IVR then asks the customer to input their PAN and SAD using their telephone keypad.
5. The IVR application receives confirmation that the payment is authorized and communicates that, or any other outcome returned from the PSP, back to the customer. An option to return to the agent may be implemented.
3. The agent initiates the digital application and sends the customer a link to a secure internet payment system.
4. The customer validates the URL, confirms the transaction amount and delivery address, submits card account data into the payment …
Added
p. 35
In general terms, both attended and unattended digital technologies could use the public Internet to deliver links to the customer. The customer would access that link via their connected device (smartphone, tablet, laptop, or desktop) and then use it to send transaction data directly to the entity’s PSP/payment gateway.
Sending a link to an online secure payment system to a customer via a messaging service may be considered the same as an e-commerce entity using redirection to third-party payment pages. The impact of such a system on the entity’s PCI DSS scope would need to be evaluated. In such case, the integrity and validity of the link to an online secure payment system must also be considered.
Sending a link to an online secure payment system to a customer via a messaging service may be considered the same as an e-commerce entity using redirection to third-party payment pages. The impact of such a system on the entity’s PCI DSS scope would need to be evaluated. In such case, the integrity and validity of the link to an online secure payment system must also be considered.
Added
p. 36
The level of that dependency and the impact on an entity’s scope are based on the actual design and how the chosen technology is implemented.
In general terms, both attended and unattended classifications of telephony-based technologies may use DTMF tones, which are transmitted by a telephone device (mobile, data, or fixed line) when the customer enters PAN and SAD via their telephone keypad. DTMF tones are easily detectable by phone systems and computers, and anyone with the right equipment can convert the tones back to the original digits or characters.
Alternatively, the organization may use pause-and-resume technology, and in this case the agent will hear all of the CHD and SAD; and the organization must adopt and implement all relevant security procedures detailed in this document in order to secure that data.
In general terms, both attended and unattended classifications of telephony-based technologies may use DTMF tones, which are transmitted by a telephone device (mobile, data, or fixed line) when the customer enters PAN and SAD via their telephone keypad. DTMF tones are easily detectable by phone systems and computers, and anyone with the right equipment can convert the tones back to the original digits or characters.
Alternatively, the organization may use pause-and-resume technology, and in this case the agent will hear all of the CHD and SAD; and the organization must adopt and implement all relevant security procedures detailed in this document in order to secure that data.
Added
p. 36
Storing only suppressed tones rather than original DTMF tones can reduce applicability of PCI DSS requirements for call recordings•for example, recordings and audio files containing only flat tones that cannot be converted back to the original data do not need to be rendered unreadable per PCI DSS
Requirement 3.4. In this scenario, the entity would need to verify that the recordings contain only flat tones, and that the suppression method ensures the tones cannot be converted back to the original data.
Even if only suppressed tones are stored and are not subject to Requirement 3.4, recording systems may still be in scope for other PCI DSS requirements if they have connectivity to the systems where CHD is present.
Where the DTMF tones are not replaced with flat, token, or random sounds, the specific numbers associated with each key press can be recovered, meaning that PAN and SAD is retrievable and the unaltered DTMF …
Requirement 3.4. In this scenario, the entity would need to verify that the recordings contain only flat tones, and that the suppression method ensures the tones cannot be converted back to the original data.
Even if only suppressed tones are stored and are not subject to Requirement 3.4, recording systems may still be in scope for other PCI DSS requirements if they have connectivity to the systems where CHD is present.
Where the DTMF tones are not replaced with flat, token, or random sounds, the specific numbers associated with each key press can be recovered, meaning that PAN and SAD is retrievable and the unaltered DTMF …
Added
p. 37
PCI DSS to that environment. Of course, it would first have to be verified that all PAN and SAD are replaced with predefined sounds and characters before they reach the environment, and no PAN or SAD is present in the environment in any other form. Some implementations of DTMF masking rely on DTMF- detectionthis may introduce a delay in the masking, and the initial portion of the DTMF tones may not be masked (this is called “DTMF bleed”). It is important to ensure that all DTMF tones, including any initial small portions of “DMTF bleed” that may be inadvertently allowed through a masking process, are not present in the environment.
A properly designed and deployed DTMF-masking solution can take not only the telephony environment, but also the agent environment and CRM system out of scope. Entities should avoid solutions that leave agent environments in scope unless there is an unavoidable business …
A properly designed and deployed DTMF-masking solution can take not only the telephony environment, but also the agent environment and CRM system out of scope. Entities should avoid solutions that leave agent environments in scope unless there is an unavoidable business …
Added
p. 38
Diagram 7: Off-premises deployment of DTMF masking 6.4.1.2 On-premises deployment of DTMF masking On-premises deployment is also possible. Diagram 8 shows an example of such implementation. A device hosted within the entity infrastructure separates the DTMF from the voice and sends back the masked DTMF into the entity’s telephone systems. DTMF is either directly forwarded or sent as cardholder data to a payment service provider through a secured line over the internet. The cardholder data is securely sent to a payment service provider. In this instance, the Session Border Controller Information Supplement
Added
p. 39
Diagram 8: On-premises deployment of DTMF masking 6.4.2 Unattended Telephony Technologies In an unattended transaction, the agent is not in contact with the customer for the entirety of the call.
Technologies used for unattended transactions are often referred to as IVR (interactive voice response) applications or automated call-handling solutions. In this scenario, the agent typically switches the call to the IVR or call-handling solution for the duration of time needed to communicate the payment details.
Depending on the technology used, the transmission of account data could be either by voice (the Information Supplement
Technologies used for unattended transactions are often referred to as IVR (interactive voice response) applications or automated call-handling solutions. In this scenario, the agent typically switches the call to the IVR or call-handling solution for the duration of time needed to communicate the payment details.
Depending on the technology used, the transmission of account data could be either by voice (the Information Supplement
Added
p. 40
The IVR or call-handling solution may be part of the entity’s own telephone environment or be located at a third party, such as a PSP or acquirer. The technology may also provide the customer with an option to return back to an agent and re-establish voice contact after payment is complete, or during the transaction in the event that the payment is unsuccessful.
In all instances, the intent of these solutions is to bypass the agent when account data is transmitted, thus avoiding any exposure of account data to the agent. Moreover, DTMF suppression and DTMF masking, described in the previous section, can also be used to reduce the presence of account data in systems such as call-recording solutions.
When properly implemented, an unattended transaction solution could reduce applicability of PCI DSS requirements to the agent and agent desktop environment. However, it would first need to be verified that PAN and SAD …
In all instances, the intent of these solutions is to bypass the agent when account data is transmitted, thus avoiding any exposure of account data to the agent. Moreover, DTMF suppression and DTMF masking, described in the previous section, can also be used to reduce the presence of account data in systems such as call-recording solutions.
When properly implemented, an unattended transaction solution could reduce applicability of PCI DSS requirements to the agent and agent desktop environment. However, it would first need to be verified that PAN and SAD …
Added
p. 40
PCI DSS by taking the call-recording and storage systems out of scope, the technology does not reduce
PCI DSS applicability to the agent, the agent desktop environment, or any other systems in the telephone environment as shown in the Diagram 9 on the following page.
PCI DSS applicability to the agent, the agent desktop environment, or any other systems in the telephone environment as shown in the Diagram 9 on the following page.
Added
p. 41
The agent forgetting to pause the recording at the right time, resulting in the unintended capture of CHD and potentially SAD. Entities are encouraged to ask their call center operator how they remove SAD from recordingspreferably automatically (with no manual intervention by your staff).
The agent forgetting to restart the recording after the transaction, resulting in a breach of regional or local legal requirements and in loss of other data that may have been of value to the business.
Manual pause-and-resume implementations require constant monitoring and verification that the manual processes are being followed by all agents for every transaction. As well as monitoring agent processes, the entity will need to regularly confirm that the call recorder and call storage do not contain any CHD or SAD. This can be achieved by supervisors regularly listening to recorded conversations.
The degree of oversight and supervision required for manual solutions is much greater …
The agent forgetting to restart the recording after the transaction, resulting in a breach of regional or local legal requirements and in loss of other data that may have been of value to the business.
Manual pause-and-resume implementations require constant monitoring and verification that the manual processes are being followed by all agents for every transaction. As well as monitoring agent processes, the entity will need to regularly confirm that the call recorder and call storage do not contain any CHD or SAD. This can be achieved by supervisors regularly listening to recorded conversations.
The degree of oversight and supervision required for manual solutions is much greater …
Added
p. 42
The effectiveness of an automated solution relies largely on its integration with the agent’s workflow process and the agent performing the correct steps at the correct time. If any ability exists for the agent to bypass the integrated process, the pause-and-resume technology could be circumvented and rendered ineffective.
Added
p. 42
The physical segmentation approach can be valid to deal with “exceptions” even when technology to prevent spoken card data is deployed. It can also be deployed within a simple telephone environment.
Diagram 10: Implementation of physical segmentation Information Supplement
Diagram 10: Implementation of physical segmentation Information Supplement
Added
p. 43
Beyond the network protection and isolation measures, the following controls are based on PCI DSS requirements for (a) physical access to payment card data, and (b) and monitoring. Some areas, such as the use of employees’ personal devices, are internal policy.
Added
p. 43
Physical access to the secure room is limited, controlled and monitored.
Physical access rights are granted based on individual job function, regularly reviewed, and revoked immediately upon termination.
The customer service representative (CSR) must use one or two authentication factorse.g., token, swipe card, personal codethrough an access-control device to enter the room (note that while PCI DSS Requirement 9.1 mandates only one authentication factor, using multi- factor authentication is considered best practice).
Physical access is monitored using an access-control mechanism or a video camera (or both), and the records are stored for at least three months unless legal restrictions apply.
The access-control and monitoring systems must be protected against tampering or disabling.
Any workstation in the secure room is locked to prevent unauthorized use.
The CSR is not allowed to take into the room personal electronic devices; any pens and paper are replaced with personal whiteboards and dry-wipe marker …
Physical access rights are granted based on individual job function, regularly reviewed, and revoked immediately upon termination.
The customer service representative (CSR) must use one or two authentication factorse.g., token, swipe card, personal codethrough an access-control device to enter the room (note that while PCI DSS Requirement 9.1 mandates only one authentication factor, using multi- factor authentication is considered best practice).
Physical access is monitored using an access-control mechanism or a video camera (or both), and the records are stored for at least three months unless legal restrictions apply.
The access-control and monitoring systems must be protected against tampering or disabling.
Any workstation in the secure room is locked to prevent unauthorized use.
The CSR is not allowed to take into the room personal electronic devices; any pens and paper are replaced with personal whiteboards and dry-wipe marker …
Added
p. 43
At the point of transaction, the CSR either transfers the call to a CSR in the secure room (potentially leaving the PBX in scope for PCI) or informs the customer that they will call them back.
The secure room CSR either calls the customer back through a separate VoIP or POTS connection or picks up the call, which is transferred from the PBX to the secure room.
When in possession of the card data, the secure-room CSR processes the payment via a payment terminal or a virtual terminal connected to a payment service provider. Following this, the CSR can record the transaction details on the CRM system (not represented) and securely dispose of or file any paper record or receipt Information Supplement
The secure room CSR either calls the customer back through a separate VoIP or POTS connection or picks up the call, which is transferred from the PBX to the secure room.
When in possession of the card data, the secure-room CSR processes the payment via a payment terminal or a virtual terminal connected to a payment service provider. Following this, the CSR can record the transaction details on the CRM system (not represented) and securely dispose of or file any paper record or receipt Information Supplement
Added
p. 44
An example of impact on merchants is that those using DTMF masking/suppression for their telephone payments may also be required to accept some telephone payments verbally to support customers with disabilities or who are otherwise unable to pay by pressing their telephone keypad. Entities with these obligations will need to implement appropriate processes and technologies to secure all account data that is received verbally by call agents and systems during processing and remove all SAD upon completion of the transaction.
Entities need to understand how different technology deployments impact the data captured in call and screen recordings, and the controls that will be consequently needed to protect CHD and remove SAD from the recordings. For example:
Recordings will capture clear-text CHD and SAD if spoken by the cardholder or captured through DTMF tones, and where the entire conversation is recorded.
Recordings will not capture CHD or SAD if DTMF masking/suppression is …
Entities need to understand how different technology deployments impact the data captured in call and screen recordings, and the controls that will be consequently needed to protect CHD and remove SAD from the recordings. For example:
Recordings will capture clear-text CHD and SAD if spoken by the cardholder or captured through DTMF tones, and where the entire conversation is recorded.
Recordings will not capture CHD or SAD if DTMF masking/suppression is …
Added
p. 45
Further considerations should be given to monitoring the effectiveness of the controls with, in particular, Data Loss Prevention (DLP), including leak detection and protection. A system adapted to the environment that can be considered as DLP may involve a multitude of technologies from basic firewall access control to specialized systems using data fingerprinting.
Added
p. 46
The definition of service providers is available in Section 2.4.
An important consideration is that a telecommunications company providing just the communication link would not be considered a service provider for that service. This means that a carrier providing only ISDN lines and SIP trunks, with no additional services, may not have any PCI DSS responsibilities. In this scenario, the entity or service provider would consider the carrier network a public or untrusted network, and applicable
PCI DSS controls would need to be in place to protect account data transmitted over such networks. Carriers or other entities providing services such as call center services, call-recording technologies, call-recording storage, hosting of call-recording technologies, or other functionality that impacts account data would be considered service providers for PCI DSS purposes.
When looking at a telecommunication company’s services, organizations should have a clear understanding of the details of the services being provided•including where scope begins and …
An important consideration is that a telecommunications company providing just the communication link would not be considered a service provider for that service. This means that a carrier providing only ISDN lines and SIP trunks, with no additional services, may not have any PCI DSS responsibilities. In this scenario, the entity or service provider would consider the carrier network a public or untrusted network, and applicable
PCI DSS controls would need to be in place to protect account data transmitted over such networks. Carriers or other entities providing services such as call center services, call-recording technologies, call-recording storage, hosting of call-recording technologies, or other functionality that impacts account data would be considered service providers for PCI DSS purposes.
When looking at a telecommunication company’s services, organizations should have a clear understanding of the details of the services being provided•including where scope begins and …
Added
p. 48
Note: Storing SAD after authorization is not allowedrefer to Appendix D, “Call Recording Decision-making Process.” Diagram 11: Outsourced call recording The data from the entities may be merged at the level of the service provider and the cloud storage provider. Beyond the service-provider-specific PCI DSS requirements, the assessor assessing the entities and the entities themselves may verify that the provider complies with the requirements in PCI DSS Appendix A1, “Additional PCI DSS Requirements for Shared Hosting Providers.” Assessors assessing the service provider should consider whether the service provider or the cloud- storage provider should comply with the requirements in PCI DSS Appendix A1, “Additional PCI DSS Requirements for Shared Hosting Providers,” by considering how they are servicing the entities, and protecting each entities data, where shared services are at play.
PCI DSS Requirement 12 states that the entity must maintain and implement policies and procedures to manage service providers with whom …
PCI DSS Requirement 12 states that the entity must maintain and implement policies and procedures to manage service providers with whom …
Added
p. 50
Term Definition 3DS EMV® Three-Domain Secure (3DS) is a messaging protocol that enables consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e- commerce purchases. The additional security layer helps prevent unauthorized CNP transactions and protects the entity from CNP exposure to fraud. The three domains consist of the entity/acquirer domain, issuer domain, and the interoperability domain (e.g., payment systems).
ACD Acronym for “automatic call distributor.” A programmable device deployed in the telephone or data network capable of directing telephone calls (data) to a predefined termination point. Also referred to as a telephony switch.
Agent Person or persons employed by a business whose role it is to make or take telephone calls. Also referred to as operator or customer service representative.
Agent desktop An agent’s computer connected to a network.
Call flow A road map of how calls will be handled from the moment they enter the telephone system to the …
ACD Acronym for “automatic call distributor.” A programmable device deployed in the telephone or data network capable of directing telephone calls (data) to a predefined termination point. Also referred to as a telephony switch.
Agent Person or persons employed by a business whose role it is to make or take telephone calls. Also referred to as operator or customer service representative.
Agent desktop An agent’s computer connected to a network.
Call flow A road map of how calls will be handled from the moment they enter the telephone system to the …
Added
p. 51
EMV Acronym for “Europay, MasterCard and Visa.” EMV is a global standard, originally created by these three companies, for processing chip-based payment card transactions.
ISDN Acronym for “integrated services for digital network.” Described as a set of communication standards for simultaneous digital transmission of voice, video, data, and other network services over the traditional circuits of the public switched telephone network (PSTN).
IVR Acronym for “interactive voice response.” An automated process that allows the customer to make choices by pressing the required digit on their telephone handset.
Pause-and- resume General description of manual or automated applications that pause and resume the call-recording application at a point during the call.
PBX or PABX Acronym for “private branch exchange or private automatic branch exchange. A private telephone network used within an organization.
POTS Acronym for “plain old telephone service.” Describes the voice-grade telephone service employing analog signal over copper cables.
PSP Acronym for “payment service provider.” Sometimes referred …
ISDN Acronym for “integrated services for digital network.” Described as a set of communication standards for simultaneous digital transmission of voice, video, data, and other network services over the traditional circuits of the public switched telephone network (PSTN).
IVR Acronym for “interactive voice response.” An automated process that allows the customer to make choices by pressing the required digit on their telephone handset.
Pause-and- resume General description of manual or automated applications that pause and resume the call-recording application at a point during the call.
PBX or PABX Acronym for “private branch exchange or private automatic branch exchange. A private telephone network used within an organization.
POTS Acronym for “plain old telephone service.” Describes the voice-grade telephone service employing analog signal over copper cables.
PSP Acronym for “payment service provider.” Sometimes referred …
Added
p. 52
SIP Acronym for “session initiation protocol.” A multimedia communications protocol used for controlling communication sessions, including voice and video calls over internet protocol (IP) networks.
A SIPS (session initiation protocol secure) URI* can be used to specify that the resource be contacted securely. This means, in particular, that TLS is to be used between the user-agent client (UAC) and the domain that owns the URI.
* URI: Acronym for uniform resource identifier. It is a string of characters to identify a resource. The syntax is defined by RFC 3986. A URL is a type of URI.
SRTP Secure Real-time Transport Protocol (SRTP) is a protocol that can provide confidentiality, message authentication, and replay protection for RTP traffic.
Switch General term given to a device that directs telephone calls or data to a single or multiple predefined destination within a network.
T1 line A T1 line is a dedicated transmission connection between a client and a …
A SIPS (session initiation protocol secure) URI* can be used to specify that the resource be contacted securely. This means, in particular, that TLS is to be used between the user-agent client (UAC) and the domain that owns the URI.
* URI: Acronym for uniform resource identifier. It is a string of characters to identify a resource. The syntax is defined by RFC 3986. A URL is a type of URI.
SRTP Secure Real-time Transport Protocol (SRTP) is a protocol that can provide confidentiality, message authentication, and replay protection for RTP traffic.
Switch General term given to a device that directs telephone calls or data to a single or multiple predefined destination within a network.
T1 line A T1 line is a dedicated transmission connection between a client and a …
Added
p. 55
* See D.2 regarding SAD in call recordings.
Added
p. 56
D2.2 All other Entities For all other entities, every possible effort must be made to eliminate sensitive authentication data from the telephone environment. If an organization has a legitimate constraint that prevents it from removing SAD from its recordings, the organization should discuss this with its acquirer and/or payment brand. In these circumstances, there must be a detailed justification why sensitive authentication data cannot be eliminated (for example, a legislative or regulatory obligation7) and a comprehensive risk assessment performed at least annually and upon significant changes to the environment. The detailed justification, risk- assessment results, and documentation of the controls in place (and validated) to ensure that SAD cannot be queried must be made available to the acquiring bank and/or payment card brand as applicable to allow them to accept or reject the solution in place.
If sensitive authentication data cannot be eliminated, it must be secured in a manner consistent …
If sensitive authentication data cannot be eliminated, it must be secured in a manner consistent …
Added
p. 58
E.1 Protocols, Ports and Network.
VoIP is generally implemented using two main protocols: H.323 and Session Initiation Protocol (SIP). Vendors using “unified communications” can include further protocols due to video (telepresence) and instant- messaging (IM) capabilities. Some examples of other protocols are: Real-Time Transport Protocol (RTP), H.248, Skype protocol (proprietary), Jingle.
H.323 and SIP each use two separate data streams, one for the signaling and one for the media (this can be voice data). The signaling stream will utilize well-known ports, often over Transmission Control Protocol (TCP). The media stream can tolerate the loss of some packets; it uses User Datagram Protocol (UDP) transport layer which is dynamic in nature.
This means that traffic-filtering devices need to be configured to allow a much greater range of ports to allow the traffic to pass correctly. Implementing Network Address Translation (NAT) can add to these complications because the devices may not necessarily know where to …
VoIP is generally implemented using two main protocols: H.323 and Session Initiation Protocol (SIP). Vendors using “unified communications” can include further protocols due to video (telepresence) and instant- messaging (IM) capabilities. Some examples of other protocols are: Real-Time Transport Protocol (RTP), H.248, Skype protocol (proprietary), Jingle.
H.323 and SIP each use two separate data streams, one for the signaling and one for the media (this can be voice data). The signaling stream will utilize well-known ports, often over Transmission Control Protocol (TCP). The media stream can tolerate the loss of some packets; it uses User Datagram Protocol (UDP) transport layer which is dynamic in nature.
This means that traffic-filtering devices need to be configured to allow a much greater range of ports to allow the traffic to pass correctly. Implementing Network Address Translation (NAT) can add to these complications because the devices may not necessarily know where to …
Added
p. 59
A lack of encryption may result in eavesdropping on VoIP calls when access to the data network is possible.
Packet analyzers such as, for example, Wireshark or tcpdump, make capturing VoIP conversations and data trivial.
E.4 Unified Communications The concept of unified communications begins to integrate communication features of voice/video communications. It is not unusual for vendors to tightly integrate instant messaging, video or telepresence, telephony, facsimile, electronic mail and other communication services into clusters of servers that are not easily segmented or isolated from one another. As a result, entities can find that their only option to minimize the PCI scope of their VoIP environment is to implement multiple instances of in-scope VoIP and out-of-scope VoIP.
Packet analyzers such as, for example, Wireshark or tcpdump, make capturing VoIP conversations and data trivial.
E.4 Unified Communications The concept of unified communications begins to integrate communication features of voice/video communications. It is not unusual for vendors to tightly integrate instant messaging, video or telepresence, telephony, facsimile, electronic mail and other communication services into clusters of servers that are not easily segmented or isolated from one another. As a result, entities can find that their only option to minimize the PCI scope of their VoIP environment is to implement multiple instances of in-scope VoIP and out-of-scope VoIP.
Added
p. 60
F.2 SIP Redirection When a service provider is used by the entity to process payments, it is important to review how the service is implemented as it can impact the PCI DSS scope. In the following examples, the entity uses a service provider that will capture the cardholder data via an IVR system or DTMF capture, or any other technology, and process the payment on behalf of the entity. All the data the entity should receive is a truncated version of the PAN or a tokenized PAN with the transaction data and an acknowledgement of the transaction result. The service provider location and the account data flow must be understood. These examples are provided to highlight that SIP redirection does not necessarily completely remove the entity’s infrastructure from PCI DSS scope.
In the Diagram F1 below, the service provider is situated close to the carrier network and the account data will …
In the Diagram F1 below, the service provider is situated close to the carrier network and the account data will …
Added
p. 62
When payment card data is redirected to a service provider over a public network, whatever the format (voice, video, picture), it is in scope for applicable PCI DSS controls as the transmission is initiated by the entityor, by delegation, the service provider.
The payment card data must be protected by strong encryption. This can be done by encrypting the data itself or by using a secure connection via, for example, the use of a VPN or a secure protocole.g., SRTP, knowing that encryption using such a protocol is difficult across several telephone operators. Also, the Information Supplement
The payment card data must be protected by strong encryption. This can be done by encrypting the data itself or by using a secure connection via, for example, the use of a VPN or a secure protocole.g., SRTP, knowing that encryption using such a protocol is difficult across several telephone operators. Also, the Information Supplement
Added
p. 64
Diagram F3 shows a scenario where the payment details are taken over POTS or VoIP and processed through a payment terminal connected to a payment processor via IP. The payment terminal and the connection to the payment processor would be in scope for PCI DSS.
Diagram F3: POTS or VoIP telephone and payment terminal connected via IP Information Supplement
Diagram F3: POTS or VoIP telephone and payment terminal connected via IP Information Supplement
Added
p. 65
Diagram F4: POTS or VoIP telephone and virtual payment terminal from a payment service provider Information Supplement
Added
p. 66
In the example below (Diagram F5), the entity allows customers to pay via a website. The website infrastructure is completely segmented from the office network. No payment card data is captured using telephones. The operators receive the payment card data to process via a printed payment card data extract and process the payments using a PCI P2PE payment terminal connected to the VoIP telephone.
Diagram F5: Payment terminal connected to a network via a VoIP telephone socket Information Supplement
Diagram F5: Payment terminal connected to a network via a VoIP telephone socket Information Supplement
Added
p. 67
In this scenario, the web site infrastructure, the PCI P2PE payment terminal, and the printed payment card data extract are in scope for PCI DSS.
F.5 Use of “Chat” for Card Payments When entities consider using their telephone environments to support customer communication using a “chat” application, it is worth highlighting once again that PAN cannot be sent unprotected. This applies to all end- user messaging technologies.
If an entity requests PAN via end-user messaging technologies, the entity should provide a tool or method to protect these PANs using strong cryptography or render PANs unreadable before transmission.
The data transmitted would be in scope for applicable PCI DSS controls. The eventual transmission of SAD would need special attention, especially its secure deletion after authorization.
F.5 Use of “Chat” for Card Payments When entities consider using their telephone environments to support customer communication using a “chat” application, it is worth highlighting once again that PAN cannot be sent unprotected. This applies to all end- user messaging technologies.
If an entity requests PAN via end-user messaging technologies, the entity should provide a tool or method to protect these PANs using strong cryptography or render PANs unreadable before transmission.
The data transmitted would be in scope for applicable PCI DSS controls. The eventual transmission of SAD would need special attention, especially its secure deletion after authorization.
Added
p. 68
Guide to Safe Payments Common Payment Systems Questions to Ask Your Vendors (Small Merchant) Glossary of Payment and Information Security Terms These resources are available from the Document Library on the PCI Security Standards website: https://www.pcisecuritystandards.org/document_library, filtering with “Small Merchants.” Reference documents useful to simple and complex telephone environments.
PCI DSS Requirements and Security Assessment Procedures PCI DSS Quick Reference Guide Prioritized Approach for PCI DSS PCI SSC Prioritized Approach Tool Understanding SAQs for PCI DSS PCI DSS SAQ: Instructions and Guidelines Information Supplement: Guidance for PCI DSS Scoping and Network Segmentation Information Supplement: PCI SSC Cloud Computing Guidelines Information Supplement: Third-Party Security Assurance Connected-to Service Providers These resources are also available from the Document Library on the PCI Security Standards website: https://www.pcisecuritystandards.org/document_library.
Frequently Asked Questions: The following is a non-exhaustive list of FAQs that may apply to …
PCI DSS Requirements and Security Assessment Procedures PCI DSS Quick Reference Guide Prioritized Approach for PCI DSS PCI SSC Prioritized Approach Tool Understanding SAQs for PCI DSS PCI DSS SAQ: Instructions and Guidelines Information Supplement: Guidance for PCI DSS Scoping and Network Segmentation Information Supplement: PCI SSC Cloud Computing Guidelines Information Supplement: Third-Party Security Assurance Connected-to Service Providers These resources are also available from the Document Library on the PCI Security Standards website: https://www.pcisecuritystandards.org/document_library.
Frequently Asked Questions: The following is a non-exhaustive list of FAQs that may apply to …
Added
p. 69
Adobe Systems Incorporated Aeriandi LTD AIG Global Services Bell Canada BT PLC.
California State University, Fullerton Coalfire Systems Compliance3 Convergys Corporation Crowe Horwath LLP Dignity Health Eckoh UK Ltd Elavon Merchant Services Federation Des Caisses Desjardins Du Quebec FortConsult A-S Gap Inc. HP Inc.
Information Risk Management (IRM) IQ Information Quality Johnson & Johnson Services Navient Solutions, LLC NCC Group PLC NTT Security Ltd.
Oklahoma State University Optiv Security Price and Associates CPAs, LLC, dba A-LIGN Schellman & Company, LLC Sec-1 Ltd.
SecureCo Pty Limited Security Metrics Semafone Limited Sirius Computer Solutions, Inc.
Spectrum Health System Sprint Nextel Syntec Ltd The Liquor Control Board of Ontario U.S. Payments Uber Technologies, Inc.
United HealthCare Services, Inc.
United States Postal Service Verizon/CyberTrust Vodafone Ltd West Monroe Partners, LLC Whirlpool Corporation Information Supplement
California State University, Fullerton Coalfire Systems Compliance3 Convergys Corporation Crowe Horwath LLP Dignity Health Eckoh UK Ltd Elavon Merchant Services Federation Des Caisses Desjardins Du Quebec FortConsult A-S Gap Inc. HP Inc.
Information Risk Management (IRM) IQ Information Quality Johnson & Johnson Services Navient Solutions, LLC NCC Group PLC NTT Security Ltd.
Oklahoma State University Optiv Security Price and Associates CPAs, LLC, dba A-LIGN Schellman & Company, LLC Sec-1 Ltd.
SecureCo Pty Limited Security Metrics Semafone Limited Sirius Computer Solutions, Inc.
Spectrum Health System Sprint Nextel Syntec Ltd The Liquor Control Board of Ontario U.S. Payments Uber Technologies, Inc.
United HealthCare Services, Inc.
United States Postal Service Verizon/CyberTrust Vodafone Ltd West Monroe Partners, LLC Whirlpool Corporation Information Supplement
Modified
p. 1 → 3
Information Supplement:
Information Supplement
Removed
p. 2
Information Supplement: Protecting Telephone-based Payment Card Data Table of Contents Executive Summary 3 Clarification of the PCI DSS Guidelines for Voice Recordings 4 Recap: The PCI SSC FAQ 4
Removed
p. 3
Information Supplement: Protecting Telephone-based Payment Card Data Executive Summary The following information and guidance is intended to provide payment security advice for merchants and service providers who accept and/or process payment card data over the telephone. This information highlights the key areas organizations with call- center operations need to address in order to process payment cards securely, and how best to protect their business and their customers from the risks of data compromise and fraud.
Why Telephone Card Payment Security is Important In face-to-face and e-commerce environments, risk-mitigating technologies have helped significantly reduce fraud rates, resulting in a shift of card fraud towards the Mail Order / Telephone Order (MOTO) space.
Additionally, a number of regulatory bodies are requiring some companies to record and store telephone conversations in a range of situations. The Payment Card Industry Data Security Standard (PCI DSS), however, stipulates that the three-digit or four-digit card verification code or …
Why Telephone Card Payment Security is Important In face-to-face and e-commerce environments, risk-mitigating technologies have helped significantly reduce fraud rates, resulting in a shift of card fraud towards the Mail Order / Telephone Order (MOTO) space.
Additionally, a number of regulatory bodies are requiring some companies to record and store telephone conversations in a range of situations. The Payment Card Industry Data Security Standard (PCI DSS), however, stipulates that the three-digit or four-digit card verification code or …
Removed
p. 4
Information Supplement: Protecting Telephone-based Payment Card Data Clarification of the PCI DSS Guidelines for Voice Recordings The impact of PCI DSS has been far-reaching, and its goal to minimize payment card data loss (malicious or otherwise) from merchant and service provider environments is becoming a reality.
For all merchants and service providers, this requires appropriate measures to protect any systems that store, process and/or transmit cardholder data. This impacts call- recording management and storage, and control of the agent/caller interface within the physical call-center space. The PCI SSC produced this Information Supplement to clarify the PCI DSS requirements on voice recordings, to provide some best practices, and to promote consistency among merchants, service providers and the assessor community.
Recap: The PCI SSC FAQ
PCI SSC FAQ 5362
• Are audio/voice recordings containing cardholder data and/or sensitive authentication data included in the scope of PCI DSS? This response is intended to provide clarification for call …
For all merchants and service providers, this requires appropriate measures to protect any systems that store, process and/or transmit cardholder data. This impacts call- recording management and storage, and control of the agent/caller interface within the physical call-center space. The PCI SSC produced this Information Supplement to clarify the PCI DSS requirements on voice recordings, to provide some best practices, and to promote consistency among merchants, service providers and the assessor community.
Recap: The PCI SSC FAQ
PCI SSC FAQ 5362
• Are audio/voice recordings containing cardholder data and/or sensitive authentication data included in the scope of PCI DSS? This response is intended to provide clarification for call …
Modified
p. 4 → 44
If these recordings cannot be data-mined, storage of CAV2, CVC2, CVV2 or CID codes after authorization may be permissible as long as appropriate validation has been performed. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call-recording formats.
If SAD contained within audio recordings can be digitally queriedif SAD is easily accessibleit must not be stored. If these recordings cannot be data mined, storage of SAD after authorization may be permissible as long as appropriate validation has been performed. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call-recording formats.
Removed
p. 5
Data Element Storage Permitted Render Stored Account Data Unreadable per
Requirement 3.4 Account Data Cardholder Primary Account Number (PAN) Yes Yes Cardholder Name Yes No Service Code Yes No Expiration Date Yes No Sensitive Authentication Full Magnetic Stripe Data† No Cannot store per
Requirement 3.2 CAV2/CVC2/CVV2/ CID No Cannot store per
Requirement 3.2 PIN/PIN Block No Cannot store per
Requirement 3.2 What this means: Essentially, sensitive authentication data must not be retained after authorization (Requirement 3.2); and for telephone operations, “sensitive authentication data” means the CAV2/CVC2/CVV2/CID and/or PIN values that may be taken during a telephone call.
Where to Start The following page shows the process a merchant should follow when assessing the risk for their call center operations and aims to further clarify the FAQ above.
Requirement 3.4 Account Data Cardholder Primary Account Number (PAN) Yes Yes Cardholder Name Yes No Service Code Yes No Expiration Date Yes No Sensitive Authentication Full Magnetic Stripe Data† No Cannot store per
Requirement 3.2 CAV2/CVC2/CVV2/ CID No Cannot store per
Requirement 3.2 PIN/PIN Block No Cannot store per
Requirement 3.2 What this means: Essentially, sensitive authentication data must not be retained after authorization (Requirement 3.2); and for telephone operations, “sensitive authentication data” means the CAV2/CVC2/CVV2/CID and/or PIN values that may be taken during a telephone call.
Where to Start The following page shows the process a merchant should follow when assessing the risk for their call center operations and aims to further clarify the FAQ above.
Modified
p. 5 → 27
Sensitive authentication data (SAD) must not be stored after authorization, even if encrypted. This applies even where there is no PAN in the environment.
Removed
p. 7
Information Supplement: Protecting Telephone-based Payment Card Data * Flowchart Notes: Are controls in place to ensure Sensitive Authentication Data cannot be queried? Sensitive Authentication Data must be secured in a manner consistent with PCI DSS and must not be able to be queried. Data that is queriable may be retrieved through use of a search tool or by issuing a system instruction/task or a set of instructions/tasks. Examples of instructions/tasks that could result in data being retrieved include but are not limited to
• Defined searches based on character sets or data format Database query functions Decryption mechanisms Sniffer tools Data mining functions Data analysis tools Built-in utilities for sorting, collating or retrieving data
For data to be considered “non-queriable” it must not be feasible for general users of the system or malicious users that gain access to the system to retrieve or access the …
• Defined searches based on character sets or data format Database query functions Decryption mechanisms Sniffer tools Data mining functions Data analysis tools Built-in utilities for sorting, collating or retrieving data
For data to be considered “non-queriable” it must not be feasible for general users of the system or malicious users that gain access to the system to retrieve or access the …
Modified
p. 7 → 57
Note: Encrypting sensitive authentication data is not by itself sufficient to render the data non-queriable.
Note: Encrypting sensitive authentication data is not by itself sufficient to render the data non-queryable.
Removed
p. 8
Information Supplement: Protecting Telephone-based Payment Card Data Hints and Tips for Call Centers Call centers will need to ensure that an appropriate retention policy is implemented and maintained.
This is part of PCI DSS Requirements 3.1 and 3.2 and includes:
Ensuring that payment card data is stored only when absolutely necessary, and that a disposal procedure is in place.
Limiting the amount of time that card information is kept on the quality assurance (QA)/recording server and customer relationship management (CRM) solution databases (both voice and screen recordings); it may be necessary for corporate governance, legal and QA departments to work out a compromise between what is needed to adhere to the PCI DSS and regulatory compliance requirements. However, note that PCI DSS does not supersede local or regional laws, government regulations, or other legislative requirements.
Never allowing for the card validation code (referred to as CAV2, CVC2, CVV2, or CID) to …
This is part of PCI DSS Requirements 3.1 and 3.2 and includes:
Ensuring that payment card data is stored only when absolutely necessary, and that a disposal procedure is in place.
Limiting the amount of time that card information is kept on the quality assurance (QA)/recording server and customer relationship management (CRM) solution databases (both voice and screen recordings); it may be necessary for corporate governance, legal and QA departments to work out a compromise between what is needed to adhere to the PCI DSS and regulatory compliance requirements. However, note that PCI DSS does not supersede local or regional laws, government regulations, or other legislative requirements.
Never allowing for the card validation code (referred to as CAV2, CVC2, CVV2, or CID) to …
Removed
p. 9
Information Supplement: Protecting Telephone-based Payment Card Data Call centers will need to ensure that transmission of cardholder data across public networks is encrypted.
This is part of PCI DSS Requirement 4 and includes:
Using strong encryption protocols such as Secure Socket Layer and Transport Layer Security (SSL/TLS), Secure Shell (SSH), or Internet Protocol Security (IPsec) to secure transmission of any cardholder data over public networks, including:
- Both wired and wireless networks used by at-home/remote agents and supervisors. For example, via a Virtual Private Network (VPN) with SSL/TLS. Please note that Wired Equivalent Privacy (WEP) protocol is no longer permissible as a security control for wireless networks.
- Voice or data streams over Voice over IP (VoIP) telephone systems, whenever sent over an open or public network. Note that only those consumer or enterprise VoIP systems that provide strong cryptography should be used.
As a best practice, ensuring that stored recordings are not …
This is part of PCI DSS Requirement 4 and includes:
Using strong encryption protocols such as Secure Socket Layer and Transport Layer Security (SSL/TLS), Secure Shell (SSH), or Internet Protocol Security (IPsec) to secure transmission of any cardholder data over public networks, including:
- Both wired and wireless networks used by at-home/remote agents and supervisors. For example, via a Virtual Private Network (VPN) with SSL/TLS. Please note that Wired Equivalent Privacy (WEP) protocol is no longer permissible as a security control for wireless networks.
- Voice or data streams over Voice over IP (VoIP) telephone systems, whenever sent over an open or public network. Note that only those consumer or enterprise VoIP systems that provide strong cryptography should be used.
As a best practice, ensuring that stored recordings are not …
Modified
p. 9 → 27
− Any public network segments used to carry or send screen or voice recordings containing payment card data.
Modified
p. 9 → 27
Never send CHD over an unencrypted, end-user messaging medium such as chat, social media, SMS (short message service)/text, or e-mail, or other non-encrypted communication channel.
Modified
p. 9 → 27
Ensure proper user authentication is implemented for all personnel, including staff, agents, administrators, and any third parties.
Removed
p. 10
Information Supplement: Protecting Telephone-based Payment Card Data Call centers will need to ensure that they adhere to an information security policy.
Developing daily operational security procedures that are consistent with all PCI DSS requirements and clearly defining the responsibilities of all personnel.
Developing usage policies for critical technologies to define proper use of these technologies for all personnel.
Assigning an individual or team specific security responsibilities.
Implementing a formal security awareness program so that all personnel are conscious of the importance of payment card security, and to make sure that all personnel are properly trained and knowledgeable about all security policies and procedures.
Annually reviewing all security policies and procedures with all in-house and at-home/remote agents. As a best practice, require agents to acknowledge the security requirements as part of their daily sign-in process Screening of potential employees prior to hiring. In addition, as a best practice, monitoring of …
Developing daily operational security procedures that are consistent with all PCI DSS requirements and clearly defining the responsibilities of all personnel.
Developing usage policies for critical technologies to define proper use of these technologies for all personnel.
Assigning an individual or team specific security responsibilities.
Implementing a formal security awareness program so that all personnel are conscious of the importance of payment card security, and to make sure that all personnel are properly trained and knowledgeable about all security policies and procedures.
Annually reviewing all security policies and procedures with all in-house and at-home/remote agents. As a best practice, require agents to acknowledge the security requirements as part of their daily sign-in process Screening of potential employees prior to hiring. In addition, as a best practice, monitoring of …
Modified
p. 10 → 29
All interaction with the recordings should be logged according to PCI DSS Requirement 10.
Removed
p. 11
Information Supplement: Protecting Telephone-based Payment Card Data Finally, call centers will need to ensure that all PCI DSS requirements are implemented.
Ensuring there are no direct connections between systems storing audio recordings and the Internet.
Ensure that at-home/remote agents and supervisor PCs have the latest version of the corporate virus protection software and definition files Ensure that at-home/remote agent and supervisor PCs have the latest approved security patches installed.
Requiring agents and supervisors to use only company-approved systems.
What to Ask Your Call-Center Provider How does the call-center system help my company comply with the PCI DSS requirements, and how does it automatically remove sensitive credit card information from recorded calls? If you take credit card details over the phone, ask your supplier to prove that they are “PCI DSS compliant” and to explain how they remove sensitive authentication data from their recordings, automatically (with no manual intervention by your …
Ensuring there are no direct connections between systems storing audio recordings and the Internet.
Ensure that at-home/remote agents and supervisor PCs have the latest version of the corporate virus protection software and definition files Ensure that at-home/remote agent and supervisor PCs have the latest approved security patches installed.
Requiring agents and supervisors to use only company-approved systems.
What to Ask Your Call-Center Provider How does the call-center system help my company comply with the PCI DSS requirements, and how does it automatically remove sensitive credit card information from recorded calls? If you take credit card details over the phone, ask your supplier to prove that they are “PCI DSS compliant” and to explain how they remove sensitive authentication data from their recordings, automatically (with no manual intervention by your …
Modified
p. 11 → 25
− Have personal firewalls installed and operational.
Modified
p. 11 → 26
Maintain systems to secure configuration standards and regularly test for vulnerabilities.
Modified
p. 11 → 29
Implement strong authentication controls for all personnel with access to voice and screen recordings, and for any other storage of CHD. Ensure that personnel do not share user IDs and passwords.
Removed
p. 12
The PCI Security Standards Council was formed by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. to provide a transparent forum in which all stakeholders can provide input into the ongoing development, enhancement, and dissemination of the PCI Data Security Standard (DSS), PIN Transaction Security (PTS) Requirements, and the Payment Application Data Security Standard (PA-DSS). Merchants, banks, processors, and point-of-sale vendors are encouraged to join as Participating Organizations.
ACKNOWLEDGEMENT This Information Supplement contains material from a resource developed by PCI SSC Board of Advisor member Barclaycard. The Council thanks Barclaycard for making this content available to share with the wider PCI community.
ACKNOWLEDGEMENT This Information Supplement contains material from a resource developed by PCI SSC Board of Advisor member Barclaycard. The Council thanks Barclaycard for making this content available to share with the wider PCI community.