“A real game changer”

In November 2018, the global PCI Security Standards Council published its long-awaited new Information Supplement entitled Protecting Telephone-based Payment Card Data.

John Greenwood, Executive Director of Compliance3 and a contributor to Syntec’s recent white paper on PCI DSS in contact centers sums up his views on the new guidelines as follows:

“These guidelines are a real game changer. Not just for the merchants transacting with customers over the telephone or via their contact center infrastructure, but for the supply chain supporting those contact centers. The contact center service providers who are not carriers but supply voice and digital services from their hosted infrastructure. My belief is that whilst there has been a real focus on data security over recent years through GDPR, the business community simply needs to wake up to the fact that cyber-crime is shifting towards more vulnerable transaction channels and that the telephone, specifically the contact center, is going to be next”.

Commenting on the 70-page document in just 5 bullet points does not do it complete justice of course, but John puts these as his top 5:

1. The guidelines have been written for a wide audience specifically including QSAs and acquirers, so as to ensure a consistent message across both merchants and third party service providers
2. There is a change of emphasis from the previous 2011 guidelines – from securing recorded payment card data to securing spoken card data – which means clarity on spoken payment card data being in scope, VoIP being in scope and that telephone service providers (who are not carriers) are also in scope
3. There is a real focus on the reader by looking at simple and complex environments when discussing securing people, processes and technology.
4. It makes strategic decision clearer by providing 4 options to secure telephone payments:
   1. Don’t take payments over the phone
   2. Apply all applicable Requirements and Controls to all the Card Data Environment (CDE)
   3. Reduce the CDE e.g. network segmentation and / or deploy Pause & Resume to take the call recorder and call recording storage out of scope, then apply all applicable Requirements and Controls to a smaller CDE or
   4. Deploy technology to eliminate the CDE – which is something we are seeing from the PCI Security Standards Council for the first time.
5. The document then offers a simple classification of technologies that help eliminate the CDE. Firstly, by asking the reader to make a choice about their customer experience by distinguishing between Attended (maintaining voice contact between agent and customer) and Unattended (fully automated IVR or broken voice contact between agent and customer). Then by offering the reader a choice between Telephony based technologies and Digital technologies highlighting that both technology types are globally available in Attended and Unattended formats. Where the Council cannot go of course is to address how the reader should go about making those choices, leaving a big gap on what the reader does next to achieve compliance and deliver the right balance between CX, risk and cost.

Hopefully these pointers will help you to approach the rather daunting task of digesting these important guidelines for your organization with less trepidation, as well as to consider new technology approaches such as CDE elimination using DTMF masking when weighing up the options and risks.