Understanding How PCI Compliance Applies to VoIP

A recent conversation at an industry event sparked this article. A question came up about how PCI applies to VoIP and what would our recommendations be to make comply with PCI.

Anyone who takes credit card/debit cards as a payment method should be taking an annual assessment from your merchant processor. The point of this is to help cut down / prevent credit card fraud which is a widely known global issue that seems to be growing over time not shrinking!

What is PCI?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.

The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.). It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI council. A copy of the PCI DSS is available here.

Why does PCI apply to VoIP?

Well, it's a loaded question that we will attempt to try and break down. Before we get deep, here are two pieces of reference material that are at the center of this question:

• https://www.pcisecuritystandards.org/documents/Protecting_Telephone_Based_Payment_Card_Data_v3-0_nov_2018.pdf
• https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Is-VoIP-in-scope-for-PCI-DSS/?l=en_US&fs=Search&pn=1&top=1

I can't control the phone company why is this a concern?

In a nutshell, what is out of your control is out of your control. Meaning, the public telephony switched network (PSTN) or any carrier service that you subscribe to from a telco, phone company, etc is not your problem as you can't control it. However, your network, your phone system, or ultimately, systems that can be secured need to be secured. It kind of makes sense.

I don't have any sophisticated phone tech that allows for credit card processing so I am in the clear right?

No, not quite. Just because you don't have a fancy automated system that collects payment information doesn't totally absolve you from this. If you take credit card information over the phone in a call than what you are able to secure needs to be secured.

Also, if you record your calls then those recordings now hold data that falls under PCI such as:

• Account Number
• Pin number
• Security Code
• Card Hold Name

So what if I don't take credit card numbers over the phone (or sms, chat, email) ever?

• Technically, if you don't take any credit card data verbally over the phone, through your Auto Attendant button presses (or via chat, sms, email) then no data is ever being recorded then most the consideration around PCI simply does not apply!

So what are the recommendations you can provide if I do take credit card info over the phone?

There are a lot of moving parts....

1. Minimize the risk!
   • Best Practices Around VoIP Technology
     • Install & Maintain a firewall 
     • Deploy VoIP solutions where your firewall / router can dynamically open a close ports as needed rather than leaving a wide range of ports open all the time.
     • Segregate your network's if possible where voice and data are logically split.
     • Regularly test security systems and processes
     • Encryption of Voice Stream containing PCI data
     • Ensure that systems such as IVR, for example, do not output cardholder data in any logs.
   • Best Practices Around VoIP Usernames & Passwords
     • Utilize strong and secure passwords
     • Ensure that workers use a multi-factor authentication process when connecting to the telephone environment or to any systems that process account data.
     • Disabling of unnecessary services and accounts, changing default passwords, and implementing a strong password policy. 
     • Ensure that personnel do not share user IDs and passwords.
   • Best Practices Around VoIP Access Control
     • Securing remote access, whether Internet or shell access, is paramount and must be done
     • Limit the locations that can access the phone system rather than leaving the system open to the world.
   • Best Practices Around Call Recording
     • PCI data should only be stored as necessary to meet the needs of the business and, to comply with local laws and regulations. If any PCI is stored, an appropriate data-retention policy to ensure that the data is stored only when absolutely necessary should be implemented. Storage should be kept to a minimum, and a secure disposal procedure should be in place to delete the data as soon as it is no longer needed.
     • Utilize a system that allows the user to stop-start call recording to prevent data from every making it into the call recording to start
       • Where pause-and-resume is used for call recordings, especially where initiated by the agent, it is recommended to verify that the call recordings do not contain PCI Data should be undertaken on a regular basis preferably weekly.
     • Limit access to call recordings
     • Configure firewalls and network controls to prevent unauthorized transmissions of call-recording data to any network segment or device without a legitimate business need to access this data.
     • Store call recording data that has PCI data offline if possible
     • Encrypt call recording data that has PCI data
     • Transfer recording with PCI data in a secure method
     • Allow only single call recordings to be retrieved or listened to, or only as specifically defined and authorized by a senior manager.
     • Assign responsibility for retrieved or listened-to call recordings and permit access only for the reason retrieved. Ensure recordings are securely deleted or destroyed when no longer needed
     • Backups and archives of the recording solution must also be protected
     • An Audit Log of Access to call or screen recordings should be tracking (see PCI DSS Requirement 10)
   • Best Practices Around Screen or Video Recording
     • The capture and storage of screens or video recordings where PCI data is visible must be equally secured
   • Best Practices Around Human Beings
     • Maintain a policy that addresses information security for all personnel
       • A policy should be in place to ensure that payment card data is protected against unauthorized viewing, copying, or scanning, in particular on desks.
     • Train your personnel on the security plan
       
       • All personnel having access to payment card data are in scope of PCI DSS and should be trained as per Requirements 12.6.1 and 12.6.2 and screened as detailed in Requirement 12.7.
       • As per Requirement 9.9.3, entities using points of interactions (POI) should provide training for personnel so they can identify and report any attempted tampering or suspicious behaviors.
     • Implement a security-awareness program (PCI DSS Requirement 12.6), delivered at the start of employment and at least annually thereafter, to make sure that all personnel are properly trained and knowledgeable about the business’s security policies and procedures. This includes reviewing security policies and procedures with all in-house and at-home/remote agents at least annually to ensure that security processes and procedures are not forgotten or bypassed. As a best practice, consider requiring personnel to acknowledge the security policy as part of their daily sign-in process.
     • Particular attention must be given to home workers. Some of the examples of controls may be difficult to implement. Organizations should evaluate the additional risks associated with processing account data in unsecured locations and implement controls accordingly. All staff should be made fully aware of the risks related to remote or home-working and what should be required to maintain the ongoing security of systems, processes, and equipment supporting the processing of telephone-based payment card data.
   • Best Practices around Chat / Email / SMS
     • Never send PCI data over an unencrypted, end-user messaging medium such as chat, social media, SMS (short message service)/text, or e-mail, or other non-encrypted communication channel.
   • Best Practices Around Network Technology
     • Maintain systems to secure configuration standards and regularly test for vulnerabilities.
     • Implement physical and logical controls for wired data networks, wireless data networks, and internal telephony VoIP networks
     • Ensure proper user authentication is implemented for all personnel, including staff, agents, administrators, and any third parties.
     • Restrict access to call-recording and CRM data containing PCI data to only those with a business need
     • Establish and maintain access logs tracking the user’s log-in account and corporate role.
     • For the home/remote worker supported as an extension of the entity’s network, make sure that their environment is secure in accordance with the PCI DSS
     • Track and monitor all access to network resources and cardholder data
   • Best Practices Around Desktop Systems
     • Desktops within the telephone environment may involve a variety of technologies, including desktop applications for payment acceptance, web browsers, iframes hosted by third parties to the agent organization, as well as virtual desktops, thin clients, remote desktop connections to other systems, or other applications intended to replace conventional workstations for contact center agents. Because these are the endpoints where agents hear payment card data spoken on a telephone then enter those data elements accordingly, the endpoint at which the agent enters the data is in scope for PCI DSS. This endpoint transmits payment card data, and the organization must consider applicable PCI DSS requirements for these systems, as well as for any connected-to or security-impacting systems around it.
     • Many organizations are leveraging newer features of telephone systems including the use of software phones (softphones) which are software programs used to make a voice call over the network. Softphones will typically be installed on an end user’s workstation with either a headset or a USB-style phone used for the conversation. It is important to note that the use of such systems to capture payment card account data would bring the workstation and probably the network it is connected to into PCI DSS scope.
     • Protect all systems against malware and regularly update anti-virus software or programs
2. Understand Who is Responsible for What!
   • The telco or service providers should have their own PCI DSS validation covering the services they provide, or they would need to be included in the entity’s PCI DSS assessment.
   • All the relevant service providers should be included in the telephony dataflow.
   • A clear understanding of where the responsibility of each service provider for securing the telephony infrastructure starts and ends, using diagrams that include clearly marked service demarcation points.
   • If at any point an entity stores, processes, or transmits account data within its environment, the entity’s systems and networks through which the account data is stored, processed, or transmitted fall within the scope of the PCI DSS, and applicable PCI DSS Requirements must be met irrespective of the type of network the entity has deployed.
     • For example, a VoIP network transmitting account data would be subject to the same PCI DSS requirements as would an internal IP-based network that transmits account data

As an MSP, what if I am simply reselling somebody else's technology?

As most things goes, this would depends on several variables but generally if you are offering a service under your brand to your end customer and then invoice them directly for said service then you as a service provider need to make sure you are complying with PCI and be ready to speak to it when your end customer comes knocking. 

What about credit card terminals / machines that connect to a merchant processor over VoIP?

You could immediately eliminate this conversation by having those terminals transact over IP or an Ethernet Cable rather than telephone line. This means that you don't need to worry about those units.

If you are interested in how bvoip can help with PCI surrounding VoIP don't hesitate to contact us.