Last month the Payment Card Industry Security Standards Council (PCI SSC) issued updated guidance for protecting phone-based payment card data. This comprehensive overhaul is the first update to the guidance since 2011 and applies to all organisations taking payment information from customers over the phone.
Since the last update much has changed in contact centre technology, operations and data collection methodologies. Voice and data networks are increasingly converging and contact centres are using Voice over Internet Protocol (VoIP) and other technologies such as interactive voice response (IVR) systems, dual-tone multi-frequency (DTMF) masking solutions and soft-phones to interact with customers and accept payments. As a result, there has been growing confusion and uncertainty among businesses about what is and isn’t in scope for PCI DSS compliance.
Under the previous version of the guidance, the full impact of VoIP technology had often been drastically underestimated when scoping PCI DSS environments, or had simply been assessed incorrectly. The new guidance makes it very clear that VoIP is very much in scope for PCI DSS compliance. Furthermore, many organisations were confused about when the services and technologies provided by their telecom service provider or other third-party partners fell within scope.
Internet Service Providers (ISPs) and telecommunications are quite rightly deemed out of scope when providing just the communication link; i.e. internet provision, ISDN lines and SIP trunks. But today they are often providing additional services that often have visibility of cardholder data or can impact the security of cardholder data. Examples include services such as call recording, call recording storage, call analytics and more. In fact, even networks and systems that are not directly involved in the payment process, but that have connectivity to payment systems or the telephony environment where payment card data is stored, processed, or transmitted should be considered in scope. Examples can include corporate intranets, finance systems, shared network directory servers – possibly the entire corporate network if it is not properly segmented.
Devices that control Session Initiation Protocol (SIP) Redirection are now in PCI DSS scope. The new guidance recognises that redirecting a call to a secured line, just for the payment process itself, exposes it to a potential risk of interception or diversion by hackers. As a result, all such devices, on or offsite, controlling redirection are vulnerable and fall into scope for PCI DSS and are therefore subject to the full range of controls.
Managing PCI DSS compliance in your business communications and telephony systems may seem a complex and daunting task, but it doesn’t need to be. To help make PCI DSS compliance within your contact centre easier, Colt has partnered with Semafone to provide its award-winning Cardprotect solution to our customers. Cardprotect makes it easy to accept payments over the phone and strengthen data security, while meeting PCI DSS compliance – all without compromising the customer experience.
By ensuring that sensitive payment card data does not touch the contact centre’s network infrastructure, Cardprotect dramatically reduces the scope of compliance for PCI DSS; reducing both cost and complexity. In addition to being essential for businesses that take payments over the phone, PCI DSS compliance provides many other benefits, including a reduced risk of fraud and data breaches, as well as faster payments processing and improved average handling times (AHT) in the contact centre. Most importantly, stronger data security and compliance practices will give your customers peace of mind, knowing that their most sensitive data is safe and secure when they do business with you.
Learn more about how Colt provides secure payments processing and streamlined PCI DSS compliance for contact centres.
Download Semafone’s guide to the new regulations.
Tim Cook is a Director – Digital Transformation, at Colt Technology Services