Get the 4-1-1 on Updated PCI-DSS Guidance for Contact Centers

This post was co-authored by Dan Hoaglund, Senior VP of Channels North America at Semafone. 

Last November, the Payment Card Industry Security Standards Council (PCI SSC) released updated guidance for protecting telephone-based payments. In this first review of the guidance since 2011, a special interest group consisting of industry experts examined the vast changes that have taken place in the security landscape—and in contact centers. With the emergence of technologies like VoIP, softphones and chatbots, contact center managers need to sit up and take notice.  

The new guidance contains some very specific directions for Qualified Security Assessors (QSAs)—those who assess whether an organization is PCI-DSS-compliant—and clarifies many aspects of the standard. And contact centers must take certain aspects, such as call recording, very seriously. Following are some of the most important changes that extend into the environment of protecting cardholder data.

Keep VoIP and Softphones Separate

VoIP and softphones, which often are connected to the desktop environment where agents process payments, are more prevalent in the contact center. However, their position has been missed or assessed incorrectly when PCI-DSS environments were scoped. The new guidance clarifies the position of VoIP, recommending that contact centers fully segment their data and telephony networks—and that both are secured separately.

Capturing Call Recordings Could Mean More Invasive Auditing

The new guidelines also apply to call recordings and the capture of sensitive card detail. “Pause-and-resume” systems, where a recording stops briefly when taking payment card details, are now deemed to run the risk of accidentally capturing these details. It makes no difference whether this process is automated or manual.

If a contact center uses either of these solutions, QSAs likely will demand extensive evidence of measures used to protect sensitive data. They’re empowered to conduct invasive auditing to ensure that additional controls, such as securely deleting card holder data and adding multi-factor authentication controls, are in place.  

Third-Party Service Providers Are In Scope

If a third party provides any call service, from a transfer to a call recording, the new guidance specifies that this brings the provider into scope of PCI-DSS. The only service that’s exempt is a simple voice communications connection or dial tone.

Protect SIP Redirection Devices

The new guidance recognizes that redirecting a call to a secured line, just for the payment process itself, exposes it to a potential risk of interception or diversion by hackers. As a result, all devices controlling redirection, whether they are offsite or onsite, are considered vulnerable. This means that they fall into the scope of PCI-DSS and are subject to the full range of controls.

Removing Card Data Is the Only Secure Solution

The updated guidance also recommends scope reduction techniques and technologies, including managed and unmanaged dual-tone multi-frequency (DTMF) masking solutions like Semafone Cardprotect. These solutions remove cardholder data and other personal information from the contact center environment entirely.

Callers enter their card numbers using their telephone keypad while remaining in full communication with the agent throughout the payment process. The DTMF tones the keys emit are masked with flat “bleeps,” so hackers can’t identify numbers by their sounds or on call recordings. This is great news if your organization takes payments over the phone and needs a record of what was discussed.

But you still need to watch out for “DTMF bleed.” Ensure that there’s no misalignment of the masking and that no sound from the digits has been exposed. Even a few milliseconds could bring you back into scope for PCI-DSS.

With the right solution, you can prevent sensitive card information from coming into contact with the agent, call recording technology or any other desktop application—all while avoiding DTMF bleed. Card data is sent directly to the payment processor, bypassing the contact center completely, so nothing in the contact center is left in scope of PCI-DSS.

Whatever method you choose to secure payments in your contact center—de-scoping or simply investing in additional security—be sure that you and your QSA are up-to-date on this new guidance.

For more information on Semafone – Visit the AppFoundry Marketplace or watch their on-demand webinar at your convenience.