Semafone warns of stricter checks and
invasive auditing for contact centres
emafone, a leading provider of
data security and compliance
solutions for over-the-phone
payments, has called on contact
centres to pay heed to changes to
the Payment Card Industry Security
Standards Council (PCI SSC) guidance
for protecting telephone-based payment
card data. Updated for the first time
since 2011, the guidance clarifies a
number of points relating to compliance
with the Payment Card Industry Data
Security Standard (PCI DSS). The key
points of the new guidance, highlighted
by Semafone, are as follows:
S
Keep softphones separate. The
emergence of VoIP and softphones,
which are often connected to the
desktop environment processing
payments, can result in the entire system
becoming ‘in scope’ of PCI DSS and
subject to its stringent controls. As a
result, it is strongly recommended that
contact centres fully segment their data
and telephony networks.
www.intelligentciso.com
|
Issue 09
Third-party service providers are in
scope if they provide more than a dial
tone. The new guidance specifies that
any call service, from a ‘transfer’ to a
‘call recording’, that is provided by a third
party, will bring that provider into scope
of the PCI DSS. The only service that is
exempt is a simple voice communications
connection, or ‘dial tone’.
Devices that control Session Initiation
Protocol (SIP) redirection are in
PCI DSS scope. The new guidance
recognises that redirecting a call to
a secured line, just for the payment
process itself, exposes it to a potential
risk of interception or diversion by
hackers. As a result, all such devices,
on or offsite, controlling redirection are
vulnerable and therefore fall into the
scope of PCI DSS and are subject to the
full range of controls.
The guidance clarifies
a number of points
relating to compliance
with the Payment
Card Industry Data
Security Standard.
Removing the card data from the
contact centre is the only secure
solution. Lastly, the updated guidance
recommends scope reduction
techniques and technologies, including
managed and unmanaged dual-tone
multi-frequency (DTMF) masking
solutions, such as Semafone’s
Cardprotect. These solutions entirely
remove cardholder data and other
personal information from the contact
centre environment. u
57
Any cardholder data captured in call
recordings brings more checks than
ever. Qualified Security Assessors
(QSAs) now have clear guidelines
regarding call recordings and the
capture of sensitive card details. Both
manual and automated ‘pause and
resume’ systems, whereby recording
is briefly stopped, are deemed to
run the risk of accidentally capturing
these details. If a contact centre is
using either of these solutions, QSAs
can demand extensive evidence of
measures to protect sensitive data.
Multi-factor authentication controls
need to be added to call recording
solutions, as well as to storage and
search tools and QSAs are empowered
to conduct invasive auditing to ensure
that additional controls have been put in
place effectively.