RSS

Testimonials

TestimonialsPlease click on the link below to see a list of our current client testimonials. 

read testimonials


Connect with us on 

LinkedIn 

Follow us on

Twitter 

Join us on

Facebook

 Subscribe to us on

 

Read our Blog on

 

 

   

 

   

Related Articles

 

Newsletter

Subscribe to our newsletter

Securing Telephony for PCI DSS

Many organisations accept payment card details through a variety of payment channels. In addition to face-to-face, e-commerce and mail order, payment details can also be taken over the telephone. Organisations that accept payment details over the telephone may decide to record the telephone call for regulatory purposes or simply to improve the customer experience. However, as these calls may contain cardholder data including Sensitive Authentication Data (i.e. the three-digit or four-digit security or verification code on the card), storing this sensitive authentication data after a transaction has been authorised is in breach of the operating regulations of the card associations and of the PCI DSS.

In March 2011, the PCI SSC issued an updated version of the PCI DSS Information Supplement “Protecting Telephone-based Payment Card Data”, providing guidance for those who accept cardholder data over the telephone. This article provides a high level overview of the PCI DSS information supplement and covers the following areas of impact:

  • Importance of securing payment card telephone calls;
  • PCI DSS applicability for telephony systems;
  • Call recording;
  • General approach to review call recording;
  • Hints and Tips for Call Recording;
  • Summary of telephony systems;
  • Conclusions.

These areas are discussed further in the following subsections.

Importance of securing payment card telephone calls
Over time, improved computer security awareness and management practices have meant that the risks of externally facing network vulnerabilities are increasingly being mitigated by securing computer networks and computer applications. Therefore, malicious users are focusing on other means of obtaining sensitive data and telephony systems add another opportunity to do so. If an attacker is able to access an unsecured telephony system, it is a trivial task to download the calls, replay the calls and ultimately access sensitive information. It is vital that the task of securing telephony systems is not neglected.

PCI DSS applicability for telephony systems
To understand whether telephony systems are in scope for PCI DSS, we remind ourselves that a system is in scope for PCI DSS if it processes, stores or transmits cardholder data. Therefore, if payment card details are received by phone, the telephony system is in scope for PCI DSS.

Call recording and PCI DSS requirements
The following is a table showing what payment card details are acceptable for electronic storage from a PCI DSS perspective.

This table shows that in terms of cardholder data, PAN may be stored. However, PAN must be rendered unreadable and therefore mechanisms must be in place to meet PCI DSS requirement 3.4.

More importantly, sensitive authentication data must not be stored post-authorisation (even if encrypted). This means that storing this data in any digital formats (such as WAV, MP3, etc) is in breach of PCI DSS requirement 3.2.

This is often a major pitfall in achieving compliance and although technology solutions are available, they may represent a significant financial, human and/or technical investment. Technology solutions can be either:

  • Active: Prevents sensitive authentication data from calls;
  • Passive: Strips the sensitive authentication from calls.

Note that storage of sensitive authentication may be permitted, only if it is proven and evident to your QSA that these data elements cannot be data-mined.

General approach to review call recording
The PCI SSC has provided an excellent flow chart describing the decision process for voice recordings. Here we summarise the flow chart:

  1. If you accept cardholder data you are in scope for PCI DSS. Processing and transmission remains in scope for PCI DSS;
  2. If your calls are recorded, then storage location is in scope for PCI DSS;
  3. If your calls contain Sensitive Authentication Data (SAD), active technology must be used to prevent storing SAD;
  4. If you cannot implement active technology to prevent SAD storage, use passive technology to remove SAD from call recordings post-authorisation;
  5. If you cannot remove SAD, then you must demonstrate that SAD cannot be queried and a compensating control will be required, detailing the technical limitation;
  6. If SAD can be queried, this is not PCI DSS compliant and you must seek another solution.

Hints and Tips for Call Recording
General tips for call centres:

  • Store all data in accordance to your business retention, secure storage and secure disposal policies. This applies to any physical or electronic (recording server and CRM solutions) storage of cardholder data;
  • Never store card verification code on any medium. If this is difficult, then you should discuss the technical or business reasons why this cannot be achieved with your acquiring bank;

General tips for masking data: 

  • Restrict access to full PAN on a need-to-know basis;
  • Understand all call centre roles and consequently segment operations in order to minimize the number of agents who have access to cardholder data. For example, sales agents may require engaging with the client to accept cardholder data. Customer representatives may not need to collect or view cardholder data;
  • Seek solutions that avoid having the agent enter cardholder data into the system;
  • If payment solutions require the agent to enter cardholder data, ensure the data is masked after it has been verified;
  • Ensure that the systems render the cardholder data unreadable (truncating, hashing or using strong cryptography).

General tips for transmitting data:

  • Always use strong cryptography when transmitting any cardholder data over public networks. This data includes any data that may contain the full PAN, including screen data and voice recordings;
  • Strong encryption protocols include SSL/TLS, Secure Shell (SSH) or IPSEC;
  • Use VoIP only if the VoIP system uses strong cryptography. Otherwise, use analog phones;
  • Avoid using end-user messaging systems (chat programs, emails etc) to send cardholder data. If required, then ensure payment cardholder data is always sent in an encrypted format;
  • Ensure that cardholder data is never repeated aloud.

General tips for user authentication: 

  • For call recording data and CRM data, ensure that the payment card data is only accessible by those authorised to do so. For example, by managers and compliance officers for legal purposes. Supervisors and QA specialists should not need to require access to the card data within call recordings;
  • Ensure any remote-access to systems use two-factor authentication;
  • Ensure each user has a unique ID and that user accounts and passwords are not shared.

General tips for information security policies: 

  • Ensure all standard operating procedures support the information security policies;
  • The information security policies should clearly define the roles and responsibilities of personnel. Assign individuals or teams responsible for security responsibilities;
  • Ensuring that all staff with security responsibilities have security training at least annually using a formal security awareness programme;
  • Ensure the information security policies and procedures are reviewed at least annually to ensure they are still effective;
  • For those involved in handling sensitive or confidential data, ensure background checks are conducted prior to hire;
  • Ensure that remote-access users are prohibited from copying, moving or storing cardholder data on local media.

General tips for cardholder data on storage media:

  • First, no Sensitive Authentication Data (such as card verification code) should be stored on electronic media;
  • Physical and logical restrictions should be in place for accessing stored recordings. Any access to the data should be logged;
  • The solution for storing and archiving the call recordings should be secure. The solution should be able to provide strong authentication, log access and providing reporting facilities.

General tips for call centres to meet PCI DSS: 

  • Ensure there is no direct access between the call recording solution and the internet;
  • The call recording systems are securely installed, securely configured and regularly tested for vulnerabilities;
  • Any machine accessing the system remotely (such as PCs and laptops) must have personal firewalls installed and configured correctly;
  • Any machine accessing the system remotely (such as PCs and laptops) must have personal anti-virus installed, configured correctly and updated to the latest software and virus definitions;
  • Only company-approved-technology may be used by personnel.

Summary of Telephony System
A summary of important points is as follows:

  • Card verification value (sensitive authentication data) may not be stored post-authorisation;
  • PCI DSS applies to telephony systems where cardholder data is stored, processed or transmitted.

Conclusions
Where required for regulatory purposes, organisations must adhere to these requirements and ensure mechanisms are in place to prevent storage of SAD data (which breaches PCI DSS requirement 3.2).

For those who are not mandated to use call recording, the technology is a nice feature to have. However, with many organisations trying to meet PCI DSS, they should review whether it is cost-effective to use and maintain call recording. Often, alternative means can be used to provide the same level of information to maintain employee training and customer experience.

There should be clear and concise policies and procedures governing how employees are selected and how employees are trained to mitigate against any risk of polluting calls with cardholder data that could lead to a breach.

The use of applications should facilitate PCI DSS and be flexible enough to adapt to any changes in regulations and industry standards.

Consider whether implementing all these PCI DSS controls is cost-effective compared to using POTS – the Plain Old Telephone System with no call recording.

Final Reminder
If you are aiming for PCI DSS compliance in the future or are planning to introduce telephony systems for taking payment card details, please speak to your QSA well in advance of your assessment.

For further information on our PCI compliance services, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.

 

Explore Sysnet:

Home | About Us | Contact Us | Partners | Resource Centre | Careers | Our Locations | Dublin Head Office | Russia and CIS | South Africa | UK | Latest News | Articles | Call Recording, PCI DSS & the Pitfalls | The importance of PCI Compliance | PCI DSS Overview | Overview of the main changes between v1.2.1 and v2.0 of the PCI DSS | Webinars | Data Protection | Securing Telephony for PCI DSS | Common Cyber Crimes facing the Payments Industry | Data Breaches – Compulsory Disclosure? | PCI DSS compliance challenges for the E-commerce Sector | PCI DSS compliance challenges for the Hospitality Sector | PCI DSS in the Retail Sector | PCI DSS v2.0 Webinar | PCI DSS Overview Webinar | Wikis | Videos | Case Studies | Useful Links | Testimonials | The Steps to Achieving Information Security Compliance

Information Security Services

Understanding | Analysis | Remediation | Assessment | Support and Compliance Maintenance | PCI DSS Introductory Workshop | PCI DSS Training | Compliance Scope Analysis and Reduction | Gap Analysis | Documentation Review | Information Security Policy & Procedure Development | Remediation Plan | Remediation Project Progress Review | Solutions Implementation & Compensation Control Compliance Validation | Onsite Pre Assessment | Onsite Assessment | Web Application Vulnerability Assessment | Payment Application Assessment | Risk Assessment | Firewall Review | Phone & Email Support | Information Security Policy Review | Periodic Onsite Compliance Health Check | Security Awarness Programmes | Incident Response Services

Managed Security Services

SIM on Demand | Security Monitoring | Network Intrusion Prevention and Detection Service | Firewall Management | Managed Vulnerability and Web Application Scanning | Log Retention

Industry Sector Services

E-commerce | Public Sector | Travel and Tourism | Payments | Financial Services | Educational Institutions | Gaming

Compliance and Standards

Sysnet Compliance Management Solution | PCI DSS | ISO 27001 | HIPAA | SOX | GLBA | NERC/CIP | PCI DSS - Ireland | PCI DSS - UK | PCI DSS - South Africa

PCI compliance

Acquirers/ISO's | Banks | Merchants | Payment Service Providers | Application Vendors | Hosting Providers | PCI DSS - FAQ's | PCI compliance - Ireland | PCI compliance - UK | PCI compliance - South Africa

PCI Forensic Investigator

Incident Management Workshops | Incident Response Scenario Workshop | PFI/PFI Lite Response Services | Payment Security Assessments | PFI - FAQs

© Sysnet 2011. All rights reserved.
Web Design & Web Development by Continuum Technologies