In November 2018, the Payment Card Industry Security Standards Council (PCI SSC) unveiled its newly revised guidance for Protecting Telephone-based Payment Card Data. Updated for the first time since 2011, this guidance underscores the urgency for protecting telephone-based payments in light of the evolving technology, and an ever-changing regulatory and fraud landscape.
The highly anticipated new guidance provides a much clearer path for retail contact centers looking to ensure compliance with the Payment Card Industry Data Security Standard (PCI DSS) and provides critical recommendations on new technologies and processes for securing payment card data.
Why A Change Was Needed
Over the last few years, retailers have seen significant changes in technology, contact center operations and data collection methodologies. Some of the most notable changes include:
● The mainstream migration to Voice over Internet Protocol (VoIP) telephony
● The widespread adoption of interactive voice response (IVR) systems
● More contact centers are integrating chat functionality (including artificial intelligence-powered chatbots)
● Organizations are embracing on-call seasonal agents, many working remotely from their own home
● The Cardholder Data Environment (CDE) of the contact center, as well as the locations, systems and networks touching the payment transaction process, has sprawled — increasing the complexity of security implementations and the systems required for compliance and incident monitoring
The convergence of voice and data networks has also led to a number of compliance challenges, from expanding scope to adding potential new attack vectors for card not present (CNP) fraud.
Key Points And Recommendations For Retailers
The new guidance brings more clarity on how retailers can reduce PCI DSS scope and mitigate risks with the application of new technologies and tighter controls. Here’s a quick rundown of the most crucial points:
● Call Recorders Need Additional Controls: As call recordings may contain cardholder data (CHD) and sensitive authentication data (SAD), they must undergo additional controls. For example, recordings that contain CHD/SAD must be securely deleted, while the contact center should only allow single call recordings to be retrieved or listened to by an authorized senior manager. The guidance also provides considerations around monitoring the effectiveness of controls for call recordings with, in particular, Data Leak Detection and Data Leak Protection.
● Pause and Resume Solutions Need More Supervision: Solutions based on the approach, at best, may prevent the capture of CHD/SAD on call recordings. A proper Pause and Resume solution could reduce the applicability of PCI DSS by taking call recordings and storage systems out of scope, but the technology does not reduce PCI DSS applicability to the agent, nor their desktop, phone or chat environment. The new guidelines specify a need for greater supervision of manual systems and prescribe testing for automated systems.
● VoIP, Softphones Must Be Segmented: The adoption of VoIP and softphones create an opportunity for massive “scope creep,” as they are often connected to the desktop environment processing payments. Therefore, contact centers must segment their data and telephony networks; otherwise they will require a host of additional PCI DSS controls.
Recommendations for masking solutions stand out within the guidance as one of the most effective solutions for keeping sensitive authentication data completely out of the call center and maintaining compliance for PCI DSS. DTMF masking solutions can be used to securely capture and process credit card payments taken over the telephone. Instead of having a customer read their credit card number aloud to the contact center agent, customers can simply enter their credit card number into their telephone keypad. During this process, the incoming data is intercepted and the agent is presented with masked (flat tone) digits on their desktop in real time.
Once the customer has input the numbers and the system has verified that the information is correct, it can then seamlessly pass the transaction data through to the payment service provider (PSP) for processing, bypassing the agent and their desktop as they do so. Throughout a transaction no sensitive data enters the contact center and is not stored or recorded anywhere. Additionally, DTMF masking solutions never require a call to be rerouted or transferred. Agents remain in constant verbal communication with the customer while taking a payment, allowing easy assistance if any issues arise. With DTMF masking, merchants can simplify compliance and avoid hefty noncompliance fines, all the while safeguarding data, maintaining customer trust and reducing the risk of a brand-damaging data breach.
How The Guidance Helps Retailers Moving Forward
The new guidance provides retailers with a much deeper understanding of the new-age risks and recommends technologies and strategies to maintain compliance and keep customer payment card data safe. These guidelines will serve retail contact centers well, as they move toward accepting an even greater volume of payments over both traditional and new communication channels — such as VoIP, webchat, softphones and chatbots.
To view the updated official guidance directly, visit here.
Ben Rafferty is responsible for heading up Product Innovation at — advising on new product development and new markets & technologies to facilitate customer compliance programs. Previously, he was responsible for the deployment of Semafone’s award winning solutions and for the overall management of the company’s carrier cloud and cloud offering, as well as gaining and maintaining Semafone’s own PCI DSS compliant status and associated Service Provider Listings. Rafferty has more than 15 years’ experience delivering telephony-based CNP Payment Solutions through a variety of technologies such as DTMF Masking, Speech Recognition and IVR, for CPE, hosted and carrier platforms. Throughout his career he has successfully delivered programs for a wide variety of organizations including large multi-national corporations such as SAP, Deloitte, Interflora and Odeon, as well as local and central government, Parliament, the NHS and all “Blue Light” services in the UK. He also regularly works with multiple QSA’s, PSP’s and has delivered PCI DSS compliant operating solutions to carriers including BT, TalkTalk, Gamma in the UK, and Genesys and Rogers in North America.