On Friday 30th November the Payment Card Industry Security Standards Council (PCI SSC) issued updated guidance for taking card payment over the phone, together with Frequently Asked Question (FAQ) guidance 1153 on “How does PCI DSS apply to VoIP?”
Overall, there are no real surprises in what the updated guideline means to be PCI DSS compliant, but it does give updated guidance and examples on the implications for protecting card data when using new telephone technologies covering SIP Trunks, Session Border Controller (SBCs) as well as Dual-Tone Multi-Frequencies (DTMF) technologies to assist with the scope reduction.
Below is a summary of what the guideline cover. Whilst this does not change the requirements for complying with PCI DSS it does give examples of what you can do to reduce scope which is worth reading.
If you would like any advice or guidance on these guidelines, please do not hesitate to contact the consulting team.
Key points of note:
- Calls over the public telephone network between the customer/cardholder and the carrier are still considered out of scope for PCI. This includes carriers who solely provide ISDN lines and SIP trunk capability and no other services.
- VoIP traffic that contains payment card account data (via spoken or tone based actions) is in scope for applicable PCI DSS controls (and this includes any connected devices that could impact the security of the payment card data.
- Where a Merchant or their Service Provider manages or controls telephony services within their network that transmits, processes or stores Cardholder Data and Sensitive Authentication Data (SAD) these services fall within the scope of PCI DSS.
- The use of DTMF technology and masking solutions is considered a suitable technology to reduce PCI scope providing considerations for “DTMF bleed” (which delays in the masking of tones such that initial portion of the DTMF tones can be heard) and assessed.
- Similarly, the use of a telephone agent handing off the payment processing to a PCI compliant web-based payment page via a message or email is also a suitable technology to reduce scope. This permits the cardholder to enter data directly into a web page rather than pass the card data over the phone to the agent.
- Even where a Service Provider provides all or part of the solution, responsibility for ensuring PCI compliance rests with the Merchant.
The guideline makes reference to the following two customer experience or contact points:
- Attended – Where the agent remains in direct voice contact with its customer for the entire duration of the telephone payment transaction.
- Unattended – Where the agent does not remain in direct voice contact with its customer for the entire duration of the telephone payment transaction, and all or part of telephone payment component of the call is handled by a different technology path (e.g., IVR or some type of redirection to a web payment process).
In addition, it refers to two types of technology to handle payment processing as follows:
- Telephony based – Where the technology application is wholly dependent on the entity’s telephony infrastructure, effectively using voice or DTMF tones, through the use of the telephone keypad, to facilitate the transaction.
- Digital-based – Where the technology application sends a message or email to the customer with a link to a PCI DSS compliant web-based payment page where the customer is invited to input their PAN and SAD using a connected device such as smartphone, tablet, laptop, or desktop computer.
The guideline provides updated information/diagrams for different telephony scenarios. It also includes some useful appendices which include:
- Glossary of terms.
- Document Quick-reference guide (to assist define the PCI compliance requirements).
- Payment Call Environment Identification Tree
- Call Recording Decision Making Process
- Further considerations on VOIP
- Further Scoping Considerations (covering SIP redirection; Examples of Simple Telephone systems; Payment Terminal connected via a VOIP telephone socket; Use of “Chat” for Card Payments).
For further information please use the links below to access the documents released: