v1.2

Securing telephone-based card payment data

An introduction to the new PCI SSC information supplement on delivering PCI DSS compliance in the MOTO channel

World leading experts in achieving and maintaining PCI DSS compliance in contact centresPartnering with Ciptex to deliver Compliance as a Service

v1.2

1. The PCI DSS in a nut shell

2. The PCI Standards Security Council (PCI SSC) position

3. Introduction to PCI SSC’s new information supplementon securing telephone-based card payment data

Discussion Points

v1.2

1. The PCI DSS in a nut shell

Established by the payment card schemes, as a unified standard, to baseline the minimum data security requirements necessary to protect payment card data within the merchant environment and the supporting secure payments ecosystem, which means issuers, acquirers and payment gateways supporting the merchant.

• Enron – SOX – Forcing the payment card schemes to understand where their risk is• Global security standard made up of 12 Requirements and 353 Controls• External audit and Self Assessment applied to the merchant and supporting ‘secure payments

ecosystem’ based on the volume of payments processed, the payment channel being assessed andstatus as a third party service provider

• PCI Security Standards Council – Incorporated 16th Sept 2006• PCI DSS v3.2.1 – 7th iteration, 139 pages from original v1.0 12 Requirements over 17 pages• Supporting structure of guidelines, Special Interest Groups (SIG’s) and training

v1.2

v1.2

It’s all about protecting the payment card data and recovering the cost of fraud

It’s the payment card scheme that pay out to the customer in event of fraud• The payment card schemes then recover their costs via their ‘franchise agreement’ with acquirers,

and the acquirers through their contract with the merchant• Via Account Data Compromise (ADC’s) penalties and costs

• The acquirers then recover their costs of reporting compliance via annual enrolment fees for onlineportals taking merchants through abbreviated SAQ questionnaires

Recover cost of risk via• Non-Compliance Fees – Charged per MID per month• Additional Risk Fees – Charged per transaction for all transactions other than Chip & Pin

e.g. Worldpay Premium Transaction charges (PTC’s)

1. The PCI DSS in a nut shell

WHY?

v1.2

2. The PCI SCC position

Working with acquiring banks to support a channel by channel approach to achieving and maintaining PCI DSS compliance

• Recognition that as payment card data is better secured by channel, driven by the evolution ofthe DSS, the focus of cyber crime is shifting to more vulnerable channels

• Previous Secure Telephone Payment Guidelines published in 2011 against version 2.0. NewGuidelines drafted 2016/17 with S.I.G. March 2018

• Technical lead from Compliance3. Published globally 27th November 2018

“If you limit exposure of payment data in your systems, you simplify compliance and reduce the chance of being a target for criminals.”

Troy Leach. CTO PCI Standards Security Council. Dec 2016

v1.2

2. The PCI SCC position

• The PCI SCC acknowledge that organised crime is moving towards the MOTO channeland the new guidelines supporting telephone payments is a big step forward in raisingawareness

• Contact centre are vulnerable and at greater risk of criminal activity because of thepresence of spoken card data (GDPR/DPA2018)

• Updated guidance on securing telephone-based card payment data – a document for achanging communication environment

Which means?

v1.2

3. The new information supplement

• Change of focus – securing recorded to securing spoken account data

• Spoken account data – impact on scope in simple and complex environments

• VoIP in scope - and rewrite of FAQ 1153

• People, process and technology – in simple and complex environments

• Management of risk - through the reduction of scope - No CDE

• Classification of technology types – Attended/Unattended + Telephony/Digital

• Wide audience – QSA, acquirer, card issuer, payment service provider, contact serviceprovider, telephone service provider and merchants.

Themes

v1.2

3. The new information supplements

2011 document

• 12 pages, 3 sections (inc summary), 1 table and 1 decision making flow diagram• Focus on securing call recordings

2018 document

• 70 pages, 7 sections supported by 8 appendices, 16 diagrams, 5 tables and decision makingflow diagrams

• Focus on people, process and technology, simple & complex environments• Focus on wider range of scope reduction technologies• Introduction of concept of ‘no CDE’

Size and Structure

v1.2

3. The new information supplements

• Widening of what is to be secured

• From securing the ‘recording of the spoken account data’ to ‘securing spoken account data’AND ‘managing legacy call recordings’

• Clarity on the positioning of pause resume

Section 6.5 on page 36.

“Whilst a properly implemented pause-and-resume solution could reduce applicability of PCI DSS by taking the call-recording and storage systems out of scope the technology does not reduce PCI DSS applicability to the agent, the agent desktop environment, or any other systems in the telephone environment.”

Change of Focus

v1.2

3. The new information supplementsClarity on pause resume

v1.2

3. The new information supplementsSpoken account data & VoIP in scopeGame changer for the telephone service provider community

Third Party Service Provider (TPSP) definition. Page 13.

A business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).

v1.2

3. The new information supplementsTelephone Service Providers – table 5

OUT

IN

v1.2

PCI DSS requirements apply wherever payment card account data is stored, processed, or transmitted. While PCI DSS does not explicitly reference the use of VoIP, VoIP traffic that contains payment card account data is in scope for applicable PCI DSS controls, just as other IP network traffic containing payment card account data would be. VoIP transmissions originating from an external source and sent to an entity’s environment are not considered within the entity’s PCI DSS scope until the traffic reaches the entity’s infrastructure. This is because an entity cannot control the method of inbound phone calls that their customers and other parties may make, including whether any payment card account data sent over that transmission is being adequately protected by the caller. An entity is considered to have control over the transmission, storage and processing of VoIP traffic within their own network and up to the external perimeter of their infrastructure. The following guidance is intended to assist with PCI DSS scoping for VoIP in different scenarios.

Internal transmissions: VoIP traffic containing payment card account data is in scope for applicable PCI DSS controls wherever that traffic is stored, processed or transmitted internally over an entity’s network.

External transmissions to other business entities (business-to-business): Where an entity uses VoIP for transmission of payment card account data to another business—for example, a service provider or payment processor—the entity’s systems and networks used forthose transmissions are in scope. Where an entity has end-to-end control over the VoIP connection, the transmission is also in scope for applicable PCI DSS controls. Where an entity cannot control the entire connection—for example, where the transmission passes through multiple telephone carriers between the two entities—the VoIP transmission is within the entity’s scope only while the transmission is under control of the entity’s infrastructure. This is because the entity does not control how the VoIP traffic will be routed outside of the entity’s infrastructure or if all the telephone carriers can support secure connections.

External transmissions to/from cardholders: Where VoIP is used for transmissions of payment card account data between a cardholder and an entity, the entity’s systems and networks used for those transmissions are in scope. Securing the VoIP transmission outside of the entity’s infrastructure is not considered within the entity’s scope, as the entity cannot control the methods used by the cardholder to make and receive phone calls. This applies regardless of whether the transmissions are initiated by the entity or the cardholder.

New text for FAQ 1153 & Appendix E VoIP

v1.2

PCI DSS compliance in contact centres - delivered.

Impact of spoken CHD on scope

v1.2

3. The new information supplementsPeople, process and technology

Fundamental to the structure and core approach of the DSS

Sections 3, 4 and 5. Page 17 to 26.

Covers securing a card data environment

Looks at simple (office based ) and complex (contact centre) telephone environments• Focus on using diagrams and supporting text• Covers a wide range of subject matter

v1.2

3. The new information supplementsPeople, process and technology

v1.2

3. The new information supplementsReduce scope – reduce risk“If you limit exposure of payment data in your systems, you simplify compliance and reduce the chance of being a target for criminals.”

Troy Leach. CTO PCI Standards Security Council. Dec 2016

• Option 1 – Don’t take payments over the phone• Option 2 – Apply all applicable controls to the whole CDE• Option 3 – Apply all applicable controls to the reduced CDE (Segmentation or technology)

• Option 4 – Apply technology to have no CDE

• Merchant – SAQA approach within a channel by channel payments compliance strategy(5 Requirements and 24 Controls rather than SAQ D 12 Requirements and 329 Controls)

• TPSP – Reduced SAQ D SP(12 Requirements and 353 Controls to 2 Requirements and 57 Controls)

v1.2

Appendix C – page 50

v1.2

UNATTENDEDAgent NOT present for entire duration

• Fully automated IVR – Press 1, Press 2• Automated Voice Recognition / BOT• Agent passes call to automated IVR to

progress payment part of the callwithout the agent present on the call evenif telephony connection remains intact)

ATTENDEDAgent present for entire duration of the transaction

• Network based DTMF – All call traffic• On-Premise DTMF – All call traffic• On-Premise DTMF – Payment calls only• Hosted DTMF – All call traffic• Hosted DTMF – Payment calls only• Pause Resume – Manual & Automated

• Embedded secure hyperlinks viaelectronic documents or email

• Automated secure hyperlinks via• SMS and / or email• BOT driven secure hyperlinks via

SMS, chat and / or social media

Technology classifications

TELEPHONY SOLUTIONS

DIGITAL SOLUTIONS

• Agent initiated secure hyperlinksvia SMS and / or email

• Agent initiated secure hyperlinksvia web chat

• Agent initiated secure hyperlinksvia social media

v1.2

It’s all about the customer experience

v1.2

Comparing technology typesBoth technologies prevent account data entering the contact centre environment

* Telephony solutions using DTMF tones are subject to a number of industry patents. These patents cover the ‘clamping’ process and ‘other’ deployment methodologies. Buyers should ensure relevantwarranties are in place from vendors to protect against scenarios arising from IP ownership challenges.

v1.2

ATTENDED (All implementation options)

Zero

Impact depends on acquirer, level of chargebacks and business sector.Source: Compliance3 PCI Technology Review2016 - 2018

COST

OF

OW

NER

SHIP

UNATTENDED TELEPHONY(All implementation options)

ATTENDED TELEPHONY

DIGITAL

UNATTENDED DIGITAL

CUSTOMER EXPERIENCENOTE- Digital solutions can make a positive contribution to a merchants bottom line due to difference in Premium Transaction Charges (PTC’s).

Cost v Experience

v1.2

Getting the balance rightHow do entities deliver the right balance between customer / employee experience, cost and risk?

v1.2

Partnering with Ciptex to deliver Compliance as a ServiceHelping merchants deliver the right balance between customer experience, risk and cost.

For additional information please contact Steve Walker by emailing steve.walker@ciptex.com or call +44 808 196 1676

Presentation created by John Greenwood from Compliance3 Partner of Ciptex Ltd.