Intelligent CISO Issue 9 - Page 57

Semafone warns of stricter checks and invasive auditing for contact centres emafone, a leading provider of data security and compliance solutions for over-the-phone payments, has called on contact centres to pay heed to changes to the Payment Card Industry Security Standards Council (PCI SSC) guidance for protecting telephone-based payment card data. Updated for the first time since 2011, the guidance clarifies a number of points relating to compliance with the Payment Card Industry Data Security Standard (PCI DSS). The key points of the new guidance, highlighted by Semafone, are as follows: S Keep softphones separate. The emergence of VoIP and softphones, which are often connected to the desktop environment processing payments, can result in the entire system becoming ‘in scope’ of PCI DSS and subject to its stringent controls. As a result, it is strongly recommended that contact centres fully segment their data and telephony networks. | Issue 09 Third-party service providers are in scope if they provide more than a dial tone. The new guidance specifies that any call service, from a ‘transfer’ to a ‘call recording’, that is provided by a third party, will bring that provider into scope of the PCI DSS. The only service that is exempt is a simple voice communications connection, or ‘dial tone’. Devices that control Session Initiation Protocol (SIP) redirection are in PCI DSS scope. The new guidance recognises that redirecting a call to a secured line, just for the payment process itself, exposes it to a potential risk of interception or diversion by hackers. As a result, all such devices, on or offsite, controlling redirection are vulnerable and therefore fall into the scope of PCI DSS and are subject to the full range of controls. The guidance clarifies a number of points relating to compliance with the Payment Card Industry Data Security Standard. Removing the card data from the contact centre is the only secure solution. Lastly, the updated guidance recommends scope reduction techniques and technologies, including managed and unmanaged dual-tone multi-frequency (DTMF) masking solutions, such as Semafone’s Cardprotect. These solutions entirely remove cardholder data and other personal information from the contact centre environment. u 57 Any cardholder data captured in call recordings brings more checks than ever. Qualified Security Assessors (QSAs) now have clear guidelines regarding call recordings and the capture of sensitive card details. Both manual and automated ‘pause and resume’ systems, whereby recording is briefly stopped, are deemed to run the risk of accidentally capturing these details. If a contact centre is using either of these solutions, QSAs can demand extensive evidence of measures to protect sensitive data. Multi-factor authentication controls need to be added to call recording solutions, as well as to storage and search tools and QSAs are empowered to conduct invasive auditing to ensure that additional controls have been put in place effectively.