Protecting Telephone-Based Payment Card Data

For those businesses that deal with card data through mail order/telephone order (MOTO) transactions, particularly those conducting sales over the telephone, including the ones using VoIP solutions, The PCI Security Standards Council has come up with an update to the Information Supplement: Protecting Telephone-Based Payment Card Data in order to help these businesses secure card data in a manner that is consistent with PCI DSS.

This update emerges after over seven and a half years since the original document came into play in March 2011. It is definitely an improvement on the progenitor, inasmuch as it provides detail where said progenitor didn’t. And rightly so. Although, technically speaking, not much has changed and VoIP still runs over UDP, these days we are witnessing a new, tighter integration of these systems with everything else. Including but not limited to CRMs, billing, mailing, customer reward schemes, customer behavior tracking systems, etc.


It matters because these systems may have some sort of access to card data. Or, simply because when PCI DSS says your VoIP is in scope, you need to look at all these other systems that are connected to the network or can impact the security of the CDE, scratch your head, and think of magic words, such as “segmentation”.


Well, it is an unlikely channel, or rather, not overtly popular yet, but a channel nevertheless. UDP provides a nice stateless connection that can be (and is) used to disguise malicious code in streaming sessions. The reason we don’t hear much about these types of attacks is they probably just haven’t gained speed yet, or even worse, businesses are simply not aware they are happening.

Telephone systems touching card data have always been required to be in the scope of PCI DSS. Up until now, they have largely been neglected or avoided altogether.  In light of all we said so far, it is evident this needs to change. There are a number of pointers in the guide that are prone to raise an eyebrow, seemingly because they would ask the business to bear the brunt of some more stringent and resource-consuming alterations to technology, people, and process in their organizations.

Yet, with telephony systems in scope of PCI DSS, now more than ever, and the new detail provided in the November 2018 release of Supplement, owners and QSAs alike are faced with the need to come up with clever and doable ways to segment their VoIP systems, where possible, so they comply with PCI DSS without it costing them an arm and a leg.

What is Penetration Testing?

In the world of information security, Penetration Testing is the practice of checking and testing the organization’s network, servers, and services for possible loopholes and vulnerabilities that an attacker may exploit.

Penetration testers are called white hats. They perform hacking in ethical ways, without causing any damage to the computer system, thereby increasing the security perimeter of your organization.


Penetration Testing is required because it helps you highlight the flaws related to hardware and software system design and operation, and quite importantly, personnel readiness. Early identification helps protect the network. If the vulnerabilities aren’t identified early, then they become an easy intrusion point for the attacker.


Hacking refers to exploiting system vulnerabilities and compromising security controls to gain unauthorized or inappropriate access to the system resources. It involves modifying a system’s or an application’s features to achieve a goal outside of the creator’s original purpose.

Ethical hacking involves the use of hacking tools, tricks, and techniques to identify vulnerabilities so as to ensure system security. It focuses on simulating techniques used by attackers to verify the existence of exploitable vulnerabilities in system security.


Penetration testing will make sense if you want to achieve the following goals:

  • identify the threats facing an organization’s information assets;
  • reduce the organization’s IT security costs and provide a better Return On Security Investment (ROI);
  • provide the organization with assurance: a thorough and comprehensive assessment of organizational security covering policy, procedure, design, and implementation;
  • gain and maintain certification to an industry regulation;
  • adopt best practices by conforming to legal and industry regulations;
  • test and validate the efficiency of security protections and controls. May lead to changing or upgrading the existing infrastructure of software, hardware, or network design;
  • evaluate the efficiency of network security devices such as firewalls, routers, and web servers;
  • focus on high-severity vulnerabilities and emphasize application-level security issues to development teams and management;
  • provide a comprehensive approach of preparation steps that can be taken to prevent upcoming exploitation.


Network Services Test: One of the most common types of penetration tests. Involves finding target systems on the corporate network, searching for openings in their base operating systems and available network services, and exploiting them. Some of these tests take place remotely across the Internet, targeting the organization’s perimeter networks. Others are launched locally, from the target’s own business facilities, to assess the security of their internal network or the DMZ from within, seeking the kinds of vulnerabilities an internal user could find.

Web Application Test: Looks for security vulnerabilities in web-based applications and/or programs deployed and installed, operational, and running on target environment and resources.

Wireless Security Test: Involves discovering a target’s physical environment, searching for unauthorized wireless access points, or authorized wireless access points that have security weaknesses or other issues.

Social Engineering Test: Attempts to get a user to reveal sensitive information, such as a password or any other sensitive data. These tests are quite often conducted over the phone, targeting selected help desks, users or employees, evaluating processes, procedures, and user awareness and reaction readiness.


During penetration testing, a pentester analyzes all security measures currently employed by the organization, searching for any design weaknesses, technical flaws, and other critical or predefined by the organization’s decision-makers vulnerabilities. There are three classic ways penetration testing is performed:

  • Black Box testing – simulates an attack from someone who is unfamiliar with the system, establishing externally “available” backdoors or other perimeter-breach opportunities.
  • Grey Box testing – simulates an attacker that has partial knowledge about the system.
  • White Box testing – simulates an attacker that has knowledge about the system.

Once all the tests are conducted, the pen tester prepares a comprehensive report that includes:

  • tests conducted;
  • test results;
  • testing methodology;
  • all vulnerabilities found;
  • respective countermeasures.

Finally, the pentester delivers the report to the executive, management, technical, and all other authorized audiences.

Besides standard scenarios based on the type of Pentesting (white box, gray box, black box) and territory (network, application, wi-fi, etc.), it is good to engage in developing and implementing scenarios that are most relevant to your environment and in accordance with your specific information risks. For example, the concept can be changed to reflect the possible behavior of a particular type of perpetrator that is important to you, taking into account various starting points:

  • Externally located person: has no initial knowledge of your infrastructure. They start by going to the coffee shop next to your office, and commence hacking…
  • Your own employee: usually receives standard pre-configured IT tools (laptop, tablet, phone, etc.) and human access – email, corporate portal, etc. Testing can show you how far such person can go with these tools and what possible damage they can inflict.
  • Your business partner: has access to your ERP system, service provisioning team, etc. Again, testing will evaluate how much this person can roam around and beyond their authorized access, and what they can inflict.
  • Any other starting point that is important to you in relation to your business operations.

For each starting point, your testing vendor should be able to, on your command, apply all types and variations of pentesting.


The course of Penetration testing involves defining the Scope, signing an Agreement, and working on Recommendations.


Determine which critical systems are to be tested and prepared for mitigation under an attack scenario. The scope can be determined by an external certification or compliance requirement (PCI DSS, for example), or simply by what management has chosen in order to achieve adequate security assessment.



A formal expression of will and agreement to proceed with testing under the determined scope, timing, and method. This is followed by a comprehensive report on the risks facing information systems that provides the necessary insight and guidance to secure operations.




In order to proceed to the next step, you should review the report that contains test results and proposed recommendations, filter through risk management mechanisms and follow up with appropriate governance or integration endeavors.

Where to Start with Your Risk Management?

Understanding and identifying risks is essential to a well-built and sustainable business. Being in touch with the threats and the ways to counter them is essential for a safer working environment.

Risk Management is the most important instrument for Information Security Governance. It provides a framework for the assessment and successful management of risks. Sadly, this is something usually poorly done or even neglected completely by a surprisingly large number of organizations today. Risk management allows companies to devise and implement economically viable risk counter-measures. All activities involve risks, which are in turn a derivative of threats, vulnerabilities, and impact. Properly identifying weaknesses and assessing the associated risks is essential, and pays off in the long run.

What are the methods applied?

There’s a wide spectrum of methods used for Risk Management today. For the most part, these methods consist of the following elements, performed, more or less, in the following order:

  • Identify and list assets;
  • Identify and characterize threats before they appear;
  • Assess the vulnerability of critical assets to specific threats;
  • Determine the possibility of risk and the consequences it may bring;
  • Identify ways to reduce or even remove risks;
  • Prioritize measures based on a strategy.

The general principle

Looking at the ideal Risk Management, a prioritization process is followed whereby the risks with the greatest loss (or impact) and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order.

In practice, on the other hand, the process of assessing overall risk is complex. On one hand, we have to consider the resources used to mitigate risks with a high probability of occurrence but lower loss. On the other, we have the mitigation resources for risks with high loss but a lower probability of occurrence. Balancing between these resources can often be mishandled.


the choices for addressing assessed risks

The first one is acceptance – sometimes it is cheaper to leave an asset unprotected to a specific risk instead of spending the money required to protect it. Acceptance cannot be done without considering the risk itself and all options possible.

The second is mitigation – involves deciding on the implementation of countermeasures aimed at lowering the risk to an acceptable level (as illustrated with the algorithm below). One should keep in mind, it is not possible to mitigate the risk entirely.

Next is transference – this is usually referred to as the “insurance scenario.” A conscious decision to hire an external company to assume the risk in return for remuneration. Transference of risk is also achieved through outsourcing, with its own risks.

Finally, avoidance – when risks discovered are high or extreme and cannot be easily mitigated, avoiding the risk (and the project altogether) may be the best option. The math here is simple: if you stand more to lose from mitigating the risk than what you will earn from this project, then avoidance is the way to go.


Risk Management is at the heart of Information Security, because it provides an important instrument to balance and rationalize countermeasure expense with business success and expected Return On Investment (ROI).

When opting for one of the choices for dealing with risks, one has to take into account something called the  Annualized Loss Expectancy (ALE), which is the expected monetary loss that can be expected for an asset due to risk over a one year period. ALE is derived from Single Loss Expectancy (SLE) multiplied by the Annualized Rate of Occurrence (ARO) and can be used to directly analyze cost vs. benefit.

Regarding Risk Management, if spending on threat countermeasures is considerably higher than that risk’s ALE, then it may not be worth the investment. Or, in other words, one must evaluate the positive impact countermeasures will have on ROI by making sure the expense is not larger than the ALE.

Risk Management is meaningful only when decisions are made based on meaningful risk analysis, which in turn involves preliminary processes such as penetration testing, vulnerability assessment, and objective audit.

The stages in the risk management process:


  • Obtain necessary data access to business process and operations structure;
  • Identify and notify participants and decision-makers;
  • Identify and distribute scope, objectives, and requirements;

Identifying risks:

  • Ensure participation of appropriate staff and management in risk assessment;
  • Review scope, objectives, and process;
  • Conduct risk identification, consolidate related risks;

Assessing & prioritizing risks:

  • Identify and obtain consensus on impact, severity, probability;
  • Identify time window when risk could occur;
  • Assess and prioritize all existing risks;

Deciding on control options:

  • Identify mitigation options for each risk;
  • Identify risks to be accepted, avoided, transferred, or mitigated;
  • Assign plan operative instructions for avoided, transferred, or mitigated risks;
  • Establish/update risk database;

Establishing mitigation plans

  • Develop draft mitigation plans and resources;
  • Obtain manager review and approval of mitigation plans;
  • Ensure mitigation plan is funded, directed, and integrated;

Implementing mitigation plans

  • Finalize Risk Management plan;
  • Devise mechanisms to monitor triggers, cues, and mitigation;
  • Implement mitigation as authorized, funded, and scheduled;
  • Provide reporting on mitigation results and progress;

Monitoring mitigation plans

  • Periodically review mitigation plan results;
  • Stop or modify mitigation plans and resources;
  • Retire risks when appropriate;
  • Update risk database for mitigation process and retirement.

The Role and Purpose of Training & Awareness in Information Security


Do not be alarmed to find out your organization is somewhere in the first couple of levels on the diagram below. Awareness is the first step, and you have much to gain by simply educating your personnel or just yourself.




Enterprises and organizations cannot protect the confidentiality, integrity, and availability of information in today’s highly networked systems environment without ensuring that all people involved in using and managing IT:

  • Understand their roles and responsibilities related to the organizational mission;
  • Understand the organization’s IT security policy, procedures, and practices;
  • Have at least adequate knowledge of the various management, operational, and technical controls required and available to protect the IT resources for which they are responsible.

As cited in audit reports, periodicals, conference presentations, and various other media, it is generally understood by the IT security professional community that people are one of the weakest links in attempts to secure systems and networks.

The “human factor” – not technology – is key to provide an adequate and appropriate level of security. If people are the key but are also a weak link, more and better attention must be paid to this “asset”.

A robust and enterprise-wide awareness and training program are paramount for ensuring that people understand their IT security responsibilities, organizational policies, and how to properly use and protect the IT resources entrusted to them.


A needs assessment is a process that can be used to determine an organization’s awareness and training needs. The results of a needs assessment can convince management to allocate adequate resources to meet the identified awareness and training needs.

In conducting a needs assessment, it is important that key personnel is involved. As a minimum, the following roles should be addressed in terms of any special training needs:

Executive Management – organizational leaders need to fully understand directives and laws that form the basis for the security program. They also need to comprehend their leadership roles in ensuring full compliance by users within their units.

Security Personnel (security program managers and security officers) – these individuals act as expert consultants for their organization and therefore must be well educated on security policy and accepted best practices.

System Owners – owners must have a broad understanding of security policy and a high degree of understanding regarding security controls and requirements applicable to the systems they manage.

System Administrators and IT Support Personnel – entrusted with a high degree of authority over support operations critical to a successful security program, these individuals need a higher degree of technical knowledge in effective security practices and implementation.

Operational Managers and System Users – these individuals need a high degree of security awareness and training on security controls and rules of behavior for systems they use to conduct business operations.

A variety of sources of information in an agency can be used to determine IT security awareness and training needs, and there are different ways to collect that information. Below is a sample list that suggests techniques for gathering information as part of a needs assessment:

  • Interviews with all key groups and organizations identified;
  • Organizational surveys;
  • Review and assessment of available resource material, such as current awareness and training material, training schedules, and lists of attendees;
  • Analysis of metrics related to awareness and training (e.g., a percentage of users completing required awareness session or exposure, percentage of users with significant security responsibilities who have been trained in a role-specific material);
  • Review of security plans for general support systems and major applications to identify system and application owners and appointed security representatives;
  • Review of system inventory and application user ID databases to determine all who have access;
  • Review of any findings and/or recommendations from oversight bodies (e.g., Congressional inquiry, inspector general, internal review/audit, and internal controls program) or program reviews regarding the IT security program;
  • Conversations and interviews with management, owners of general support systems and major applications, and other organization staff whose business functions rely on IT;
  • Analysis of events (such as denial of service attacks, website defacements, hijacking of systems used in subsequent attacks, successful virus attacks) might indicate the need for training (or additional training) of specific groups of people;
  • Review when technical or infrastructure changes are made;
  • The study of trends first identified in industry, academic, or government publications or by training/education organizations. The use of these “early warning systems” can provide insight into an issue within the organization that has yet to be seen as a problem.




Learning is a continuum; it starts with awareness, builds to training, and evolves into education. Security awareness efforts are designed to change behavior or reinforce good security practices.

Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly.

Training strives to produce relevant and needed security skills and competencies.

Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge and strives to produce IT security specialists and professionals capable of vision and response.

Team Development, Internal Audit & Control 101

The development of a company’s employees is of major importance. Ultimately, progress and growth are what everyone’s after, but in order for that to happen, processes, workflow, and ethnicity must be all under control.

In order to create a secure operations environment, an organization needs to build its structure and staff it in line with the proper approach to the human factor in Information Security. Failing to do so usually results in a lack of direction, misplaced responsibility, and ultimately, operational disruptions.


Information Security is never built from the bottom up. Do not assume that everyone in the organization is tuned in to what (and how) needs to be done regarding Information Security. The major roles are usually defined as:

Senior Management – creates information security program and ensures proper and adequate staffing and funding and has organizational priority. Responsible for ensuring organizational assets are protected.

Data Owner (aka information owner or business owner) – a management employee responsible for ensuring the protection of specific data. Data classification, sensitivity labels, and the frequency of data backup are determined by this role.

Custodian – a role responsible for the actual protection of assets, performing tasks such as data backups and restoration, patch systems, etc., under detailed orders – Custodians do not make critical decisions on how data is protected.

User – the largest in number, yet major information security role. Users follow rules. For Users, it is mandatory to comply with policies, procedures, standards, etc. Working to raise awareness you can tell people how to do the right things at times when their behavior can make a difference in the security of the company.


These are fundamental operational security concepts that should be observed when organizing and structuring the staff of a company. These concepts are important because they do not only deal with personnel but permeate through multiple Information Security domains:

  • Least Privilege (aka Minimum Necessary Access) – dictates that all persons’ access is strictly bound to the minimum access required so they can perform their duties. This is the one, single, most important principle that administrative security controls revolve around.
  • Split-knowledge – a process in which certain portions of data have split access over multiple people, individually sharing no knowledge of the data in its entirety. Thus data can be subsequently inputted into, or output from, by the separate people to the extent they access to and can be combined to recreate the data in its entirety only by a person with access that would allow such actions.
  • Separation of duties – prescribes that multiple people are required to complete critical or sensitive transactions. The goal of separation of duties is to ensure that in order for someone to be able to abuse access to sensitive data or transactions, that person must convince another party to act in concert.
  • Rotation of duties/job rotation – a process in which staff members are required to perform the same duties interchangeably on a rotation schedule. By doing so, the company is more protected due to having varying people perform and review the work of their peers, who did the same job in the previous rotation. Rotation of duties helps mitigate a collision, where two or more people are in alliance to subvert the security of a system.
  • Mandatory leave/forced vacation – an additional operational control, closely related to a rotation of duties, with the primary security considerations being similar: reducing or detecting personnel single points of failure and the detection and deterrence of fraud. Forcing all employees to take leave can identify areas where the depth of coverage is lacking or can help reveal fraudulent or suspicious behavior.



While the diagram above provides a generic structure to illustrate how Information Security and Internal Audit are related both functionally and in terms of subordination and dependency, it is not to be applied blindly. When building one’s own structure, one should take into account the nature of the organization’s business, its existing structure as well as resource considerations. The Information Security Manager usually referred to as the Chief Information Security Officer (CISO) and their unit play a distinct role, which should not be confused with that of the Audit Committee (AKA The Internal Audit and Control Unit) as is further detailed below.


The Chief Information Security Officer (CISO) is the highest-ranking executive responsible for the establishment and maintaining the fundamental business concept, the company’s strategy, and programs to ensure assets and information technology appropriately protected.

The CISO directs staff in the identification, development, implementation, and maintenance of processes across the organization to reduce the information and information technology (IT) risks.

The CISO, and its staff, respond to incidents, establish appropriate standards and controls, manage security technologies, and guide the development and implementation of policies and procedures.

The CISO is also usually responsible for compliance related to company information.

The Internal Audit & Control Unit

The Internal Audit & Control Unit holds an inextricably independent function. Otherwise, it can become dysfunctional with sub-standard performance. There are many degrees in the level of independence and effectiveness, so a clear understanding of the business needs and circumstances is required.

The unit’s function is to provide a third level of control in the organization, which should be independent of the control of the first level – that of the top management of the company and of other units, such as legal, human resources, financial control, etc.

The unit establishes appropriate policies and procedures to guide the internal audit function, and ensure the quality of the assurance services delivered – all aligned and are consistent with the company’s objectives and governance policies.