PCI Updates Its Data Security Standard Guidance

For the first time in more than seven years, the Payment Card Industry’s Security Standards Council in November updated the corporate guidance connected to its Data Security Standards to include more of the modern channels that consumers use to make purchases. Chief among these new technologies are Voice over Internet Protocol (VoIP) softphones, which are quickly replacing traditional phone systems in many contact center settings.

“Under the previous guidance, the full impact of VoIP technology had often been drastically underestimated…or had simply been assessed incorrectly,” says Ben Rafferty, global solutions director at contact center software provider Semafone and a contributing member of the special interest group that worked with the PCI Security Standards Council to update the guidance.

The new guidance also takes into account the fact that in recent years, enterprises have been increasingly using other new technologies—including dual-tone multi-frequency (DTMF) masking solutions, interactive voice response (IVR) systems, mid-call redirection, and web chat—to interact with customers and accept payments. “These new technologies, along with the convergence of voice and data networks, have been creating scope uncertainty among businesses, which has led to a number of compliance challenges,” Rafferty explains.

Another challenge with the previous guidance, which was last issued in 2011, was that it failed to include the expanding range of services provided by internet service providers and telecommunications organizations. “When a service provider is also offering services such as call-recording, call recording storage, call analytics, or even hosted/cloud VoIP services, the potential for exposure of sensitive card holder data increases,” Rafferty says.

In general, the contact center industry has seen an increase in recorded customer conversations, which could result in unnecessary storage of payment card data information. 

The basic guidance, though, remains the same: No payment card data should ever be stored unless necessary to meet the needs of the business.

“Many organizations have historically wrongly assumed that simply enabling pause-and-resume call recording is a good enough solution, on the incorrect understanding that they are not capturing or storing card data, so, therefore, they are complying with all the PCI DSS requirements,” Rafferty says.

Beyond the basic warnings against collecting and storing credit card information, the PCI DSS recommendations and best practices provided in the new guidance are focused on people, process, and technology, according to Jean-Louis LaMacchia, standards development manager and chair of the Payment Card Industry’s special interest group.

With regard to people, the guidelines recommend creating and maintaining a culture of security within the organization. Roles should be clearly defined and assigned based on a need-to-know standard to ensure that the minimum required number of employees have access to account information. Particular attention must also be given to home-based workers, fully evaluating additional risks and implementing controls accordingly.

Processes need to support company security objectives and reduce opportunities for fraud. Among the guidelines is the suggestion that companies implement a policy that excludes materials and devices from the telephone environment that could be used to record data.They also recommend that companies monitor their telephone areas and install access controls.

As for technology, the guidelines stress the need for companies to minimize employees’ possible exposure to account data. A main element of this strategy is that technologies should be secured and checked regularly for viruses, other malware, and signs of physical tampering, including the unauthorized use of keyboard-logging devices or screen-capturing programs. And finally, home-based and remote workers should always use multifactor authentication when connecting to the telephone environment and related systems used to process account data.

“Overall, the new guidelines make several much-needed clarifications, and I’m glad to see them updated. They should help lead to less confusion in the marketplace and more standardization around securing payment card data over voice channels,” Rafferty states.