In November 2018 Payment Card Industry Security Standards Council (PCI SSC) published the renewed and long-awaited guidelines for Protecting Telephone-Based Payment Card Data v.3.0. While the previous version of the guidelines dated back to 2011 were quite a high-level overview, the current ones are combined in a detailed and in-depth document of 60+ pages.

The document builds on three main pillars - people, process and technology.

  1. People being the weakest link as always and the highest risk when it comes to the security of telephone-based payment card data.
  2. Processes relating to people as these need to be adapted for each scenario.
  3. Technology supporting both people and processes.

A lot of attention in the document is rightly given to scoping and PCI DSS applicability to telephony environments. As for the three pillars, however, the most attention is given to technology. This is done by covering security of the overall IT infrastructure, architectural aspects, desktop systems, softphones, DTMF (Dual-Tone Multi-Frequency), voice and screen recordings. Technologies are categorized into attended or unattended and telephony based or digital based, giving us 4 different options within a little matrix of 2x2. Depending on what technologies are used different scope reduction methods are suggested - for example, DTMF suppression or masking for attended telephony based technologies, as well as other common forms of scope reduction - pause-and-resume, physical segmentation or complete outsource to a specialist third-party service provider.

Another dedicated section covers third-party service providers. With a reference to PCI DSS requirement 12.8 and PCI SSC Guidelines for Third-Party Security Assurance. A number of common telephony-related services are described: PBX (Private Branch Exchange), SIP (Session Initiation Protocol) trunking, IVR (Interactive Voice Response), fraud detection/monitoring, voice analytics, and last but not least, call recording.

Finally, Appendix E is a dedicated section on VoIP (Voice over IP) usage and security, including protocols, ports, and network, VoIP attacks and vulnerabilities, encryption and eavesdropping, and unified communications.

The document is a must read for any call center involved in dealing with payment card data, and any company outsourcing call center services should at least take a look at section 7 ‘Third-Party Service Providers’.

Our PCI DSS experts are always up to date when it comes the new versions of PCI DSS standards. Contact us if you need help or consultation on protecting telephone-based payment card data.


Irmantas Brazaitis

Written by Irmantas Brazaitis

Information security professional with 12+ years of experience in information security consulting, 2+ years of experience in the role of information security manager, and 2+ years of experience in large scale governmental IT project management. Developed and delivered PCI DSS Implementation and ATM Security training sessions in 15+ different countries. Certified as Qualified Security Assessor (QSA) by PCI Security Standards Council, holding CISM, CISA and CISSP certifications in good standing.