Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
In November 2018 Payment Card Industry Security Standards Council (PCI SSC) published the renewed and long-awaited guidelines for Protecting Telephone-Based Payment Card Data v.3.0. While the previous version of the guidelines dated back to 2011 were quite a high-level overview, the current ones are combined in a detailed and in-depth document of 60+ pages.
The document builds on three main pillars - people, process and technology.
A lot of attention in the document is rightly given to scoping and PCI DSS applicability to telephony environments. As for the three pillars, however, the most attention is given to technology. This is done by covering security of the overall IT infrastructure, architectural aspects, desktop systems, softphones, DTMF (Dual-Tone Multi-Frequency), voice and screen recordings. Technologies are categorized into attended or unattended and telephony based or digital based, giving us 4 different options within a little matrix of 2x2. Depending on what technologies are used different scope reduction methods are suggested - for example, DTMF suppression or masking for attended telephony based technologies, as well as other common forms of scope reduction - pause-and-resume, physical segmentation or complete outsource to a specialist third-party service provider.
Another dedicated section covers third-party service providers. With a reference to PCI DSS requirement 12.8 and PCI SSC Guidelines for Third-Party Security Assurance. A number of common telephony-related services are described: PBX (Private Branch Exchange), SIP (Session Initiation Protocol) trunking, IVR (Interactive Voice Response), fraud detection/monitoring, voice analytics, and last but not least, call recording.
Finally, Appendix E is a dedicated section on VoIP (Voice over IP) usage and security, including protocols, ports, and network, VoIP attacks and vulnerabilities, encryption and eavesdropping, and unified communications.
The document is a must read for any call center involved in dealing with payment card data, and any company outsourcing call center services should at least take a look at section 7 ‘Third-Party Service Providers’.
Our PCI DSS experts are always up to date when it comes the new versions of PCI DSS standards. Contact us if you need help or consultation on protecting telephone-based payment card data.
PCI QSA and Information Security professional with more than 14 years of experience within the payment card industry. I’ve been involved in dozens of ATM compliance and security projects having worked for global payment service providers alongside the Fraud team, engaged in end-to-end fraud prevention process (from monitoring of suspicious transactions to seizure of criminals).
Certified as Qualified Security Assessor (QSA) by PCI Security Standards Council.