Semafone Advises Contact Centres on Updated PCI Guidance for Protecting Telephone-based Payment Card Data

Boston and Guildford, U.K.– Nov. 28, 2018 – Semafone®, the leading provider of data security and compliance solutions for contact centers, advises call and contact centers to take heed to the newly revised Payment Card Industry Security Standards Council (PCI SSC)guidance for Protecting Telephonebased Payment Card Data. The updated guidance addresses the challenges and complexities presented by the evolving technology and regulatory landscape, while providing best practices for avoiding payment fraud in contact centers.

“Since the guidance for Protecting Telephone-based Payment Card Data was last updated in 2011, new technologies and payment channels are increasing the scope of the cardholder data environment – and creating some uncertainty and compliance challenges for contact centers,” said Ben Rafferty, Semafone’s global solutions director and a contributing member of the Special Interest Group (SIG) formed by the PCI SSC to update the guidance. “Because protecting payment card data within contacts centers is the core of Semafone’s business, we invested our time to share our expertise for the new guidance. Drawing from our experience descoping enterprise contact centers around the globe, we hope to provide clarity on securing these critical payment channels.”

Taking people, processes and technology into account, the new guidance clarifies associated risks and discusses solutions and strategies for reducing the scope of cardholder data environments (CDE) to achieve and maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS). These guidelines are of chief importance to enterprise contact centers that increasingly use technologies – beyond the telephone – to accept payments, including Voice over Internet Protocol (VoIP), softphones and chatbots. Such channels are increasingly part of the card data environment and add potential attack vectors for card-not-present (CNP) fraud.

“When working with clients looking to attain PCI DSS compliance, the telephone payment channel is the most challenging to address for several reasons,” said Wayne Murphy, a qualified security assessor (QSA) with Sec-1 and contributing member of the SIG. “Contact center agents often need access to single business systems, which are accessible by all departments within an organization, thus bringing most of the business into scope for PCI DSS assessment activities. Plus, integration with VoIP systems make it nearly impossible to simplify the current payment channel to reduce scope.”

Addressing common compliance questions and misconceptions, and introducing multiple new appendices, the revised Protecting Telephone-based Payment Card Data guidance discusses:

  • Call Recordings: As call recorders may contain cardholder data (CHD) and sensitive authentication data (SAD), they must undergo additional controls. For example, recordings that contain CHD/SAD must be securely deleted, while the contact center should only allow single call recordings to be retrieved or listened to by an authorized senior manager. The guidance also provides considerations around monitoring the effectiveness of controls for call recordings with, in particular, Data Leak Detection and Data Leak Protection.
  • Pause and Resume: Solutions based on the Pause and Resume approach, at best, may prevent the capture of CHD/SAD on call recordings. Although a properly implemented Pause and Resume solution could reduce the applicability of PCI DSS by taking call recordings and storage systems out of scope, the technology does not reduce PCI DSS applicability to the agent, the agent desktop environment or any other systems in the telephone, chat or agent environment. The new guidelines specify a need for greater supervision of manual systems and prescribe testing for automated systems.
  • Third-party Service Providers: The guidelines specify when a telecommunications provider is in or out of PCI DSS scope, and note that those providing more than a “communications link” have PCI DSS compliance responsibilities.
  • VoIP, Softphones and Encryption: The emergence of VoIP and softphones create an opportunity for massive “scope creep,” as they are often connected to the desktop environment processing payments. Therefore, contact centers must segment their data and telephony networks, otherwise, they will require a host of additional PCI DSS controls.
  • Session Initiation Protocol (SIP) Redirection: The guidelines map the responsibilities and scoping of telephony architecture to support the merchant and QSA

Lastly, the updated guidance describes scope reduction techniques and technologies, including managed and unmanaged dual-tone multi-frequency (DTMF) masking solutions, like Semafone’s Cardprotect. Cardprotect reduces the scope of PCI DSS compliance by removing CHD and other personally identifiable information (PII) from the contact center environment. Callers directly enter their card numbers via their telephone keypad and the DTMF tones are masked with flat tones on the receiving end. This keeps the agent or interactive voice response (IVR) system on the line with the caller, while rendering the digits indecipherable to them, call recording technology and other desktop applications.

The card data is sent directly to the payment processor, bypassing the contact center completely and removing it from the CDE. As a result, merchants simplify compliance and avoid hefty noncompliance fines, while safeguarding data, maintaining customer trust and reducing the risk of a brand-damaging data breach.
As Jean-Louis LaMacchia, Standards Development Manager and Chair of the Protecting TelephoneBased Payment Card Data SIG, stated in a blog, “Wherever possible, solutions that minimize exposure of personnel to account data should be considered. To prevent unauthorized access to account data, technologies should be secured and checked regularly for viruses or other malware as well as for signs of physical tampering—for example, the addition of a keyboard-logging device. Home-based and remote workers should always use multi-factor authentication when connecting to the telephone environment or to any systems which processes account data.”

Rafferty concluded, “I urge all contact center professionals to take the time to read these new guidelines and determine how they can abide by Semafone’s mantra, ‘No one can hack the data you don’t hold.'”