v1.2 Securing telephone-based card payment data An introduction to the new PCI SSC information supplement on delivering PCI DSS compliance in the MOTO channel World leading experts in achieving and maintaining PCI DSS compliance in contact centres Partnering with Ciptex to deliver Compliance as a Service
v1.2 Discussion Points 1. The PCI DSS in a nut shell 2. The PCI Standards Security Council (PCI SSC) position 3. Introduction to PCI SSC’s new information supplement on securing telephone-based card payment data
v1.2 1. The PCI DSS in a nut shell Established by the payment card schemes, as a unified standard, to baseline the minimum data security requirements necessary to protect payment card data within the merchant environment and the supporting secure payments ecosystem, which means issuers, acquirers and payment gateways supporting the merchant. • Enron – SOX – Forcing the payment card schemes to understand where their risk is • Global security standard made up of 12 Requirements and 353 Controls • External audit and Self Assessment applied to the merchant and supporting ‘secure payments ecosystem’ based on the volume of payments processed, the payment channel being assessed and status as a third party service provider • PCI Security Standards Council – Incorporated 16 th Sept 2006 • PCI DSS v3.2.1 – 7 th iteration, 139 pages from original v1.0 12 Requirements over 17 pages • Supporting structure of guidelines, Special Interest Groups (SIG’s) and training
v1.2
v1.2 1. The PCI DSS in a nut shell It’s all about protecting the payment card data and recovering the cost of fraud WHY? It’s the payment card scheme that pay out to the customer in event of fraud • The payment card schemes then recover their costs via their ‘franchise agreement’ with acquirers, and the acquirers through their contract with the merchant • Via Account Data Compromise (ADC’s) penalties and costs • The acquirers then recover their costs of reporting compliance via annual enrolment fees for online portals taking merchants through abbreviated SAQ questionnaires Recover cost of risk via • Non-Compliance Fees – Charged per MID per month • Additional Risk Fees – Charged per transaction for all transactions other than Chip & Pin e.g. Worldpay Premium Transaction charges (PTC’s)
v1.2 2. The PCI SCC position Working with acquiring banks to support a channel by channel approach to achieving and maintaining PCI DSS compliance • Recognition that as payment card data is better secured by channel, driven by the evolution of the DSS, the focus of cyber crime is shifting to more vulnerable channels • Previous Secure Telephone Payment Guidelines published in 2011 against version 2.0. New Guidelines drafted 2016/17 with S.I.G. March 2018 Technical lead from Compliance3. Published globally 27 th November 2018 • “If you limit exposure of payment data in your systems, you simplify compliance and reduce the chance of being a target for criminals.” Troy Leach. CTO PCI Standards Security Council. Dec 2016
v1.2 2. The PCI SCC position Which means? • The PCI SCC acknowledge that organised crime is moving towards the MOTO channel and the new guidelines supporting telephone payments is a big step forward in raising awareness • Contact centre are vulnerable and at greater risk of criminal activity because of the presence of spoken card data (GDPR/DPA2018) • Updated guidance on securing telephone-based card payment data – a document for a changing communication environment
v1.2 3. The new information supplement Themes • Change of focus – securing recorded to securing spoken account data • Spoken account data – impact on scope in simple and complex environments • VoIP in scope - and rewrite of FAQ 1153 • People, process and technology – in simple and complex environments • Management of risk - through the reduction of scope - No CDE • Classification of technology types – Attended/Unattended + Telephony/Digital • Wide audience – QSA, acquirer, card issuer, payment service provider, contact service provider, telephone service provider and merchants .
v1.2 3. The new information supplements Size and Structure 2011 document • 12 pages, 3 sections (inc summary), 1 table and 1 decision making flow diagram • Focus on securing call recordings 2018 document • 70 pages, 7 sections supported by 8 appendices, 16 diagrams, 5 tables and decision making flow diagrams • Focus on people, process and technology, simple & complex environments • Focus on wider range of scope reduction technologies • Introduction of concept of ‘no CDE’
v1.2 3. The new information supplements Change of Focus • Widening of what is to be secured • From securing the ‘recording of the spoken account data’ to ‘securing spoken account data’ AND ‘managing legacy call recordings’ • Clarity on the positioning of pause resume Section 6.5 on page 36. “Whilst a properly implemented pause-and-resume solution could reduce applicability of PCI DSS by taking the call-recording and storage systems out of scope the technology does not reduce PCI DSS applicability to the agent, the agent desktop environment, or any other systems in the telephone environment.”
v1.2 3. The new information supplements Clarity on pause resume
v1.2 3. The new information supplements Spoken account data & VoIP in scope Game changer for the telephone service provider community Third Party Service Provider (TPSP) definition. Page 13. A business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).
v1.2 3. The new information supplements Telephone Service Providers – table 5 OUT IN
v1.2 New text for FAQ 1153 & Appendix E VoIP PCI DSS requirements apply wherever payment card account data is stored, processed, or transmitted. While PCI DSS does not explicitly reference the use of VoIP, VoIP traffic that contains payment card account data is in scope for applicable PCI DSS controls, just as other IP network traffic containing payment card account data would be. VoIP transmissions originating from an external source and sent to an entity’s environment are not considered within the entity’s PCI DSS scope until the traffic reaches the entity’s infrastructure. This is because an entity cannot control the method of inbound phone calls that their customers and other parties may make, including whether any payment card account data sent over that transmission is being adequately protected by the caller. An entity is considered to have control over the transmission, storage and processing of VoIP traffic within their own network and up to the external perimeter of their infrastructure. The following guidance is intended to assist with PCI DSS scoping for VoIP in different scenarios. Internal transmissions: VoIP traffic containing payment card account data is in scope for applicable PCI DSS controls wherever that traffic is stored, processed or transmitted internally over an entity’s network. External transmissions to other business entities (business-to-business): Where an entity uses VoIP for transmission of payment card account data to another business—for example, a service provider or payment processor—the entity’s systems and networks used for those transmissions are in scope. Where an entity has end-to-end control over the VoIP connection, the transmission is also in scope for applicable PCI DSS controls. Where an entity cannot control the entire connection—for example, where the transmission passes through multiple telephone carriers between the two entities—the VoIP transmission is within the entity’s scope only while the transmission is under control of the entity’s infrastructure. This is because the entity does not control how the VoIP traffic will be routed outside of the entity’s infrastructure or if all the telephone carriers can support secure connections. External transmissions to/from cardholders: Where VoIP is used for transmissions of payment card account data between a cardholder and an entity, the entity’s systems and networks used for those transmissions are in scope. Securing the VoIP transmission outside of the entity’s infrastructure is not considered within the entity’s scope, as the entity cannot control the methods used by the cardholder to make and receive phone calls. This applies regardless of whether the transmissions are initiated by the entity or the cardholder.
v1.2 Impact of spoken CHD on scope PCI DSS compliance in contact centres - delivered.
Recommend
More recommend