Protecting Telephone-Based Payment Card Data

For those businesses that deal with card data through mail order/telephone order (MOTO) transactions, particularly those conducting sales over the telephone, including the ones using VoIP solutions, The PCI Security Standards Council has come up with an update to the Information Supplement: Protecting Telephone-Based Payment Card Data in order to help these businesses secure card data in a manner that is consistent with PCI DSS.


This update emerges after over seven and a half years since the original document came into play in March 2011. It is definitely an improvement on the progenitor, inasmuch as it provides detail where said progenitor didn’t. And rightly so. Although, technically speaking, not much has changed and VoIP still runs over UDP, these days we are witnessing a new, tighter integration of these systems with everything else. Including but not limited to CRMs, billing, mailing, customer reward schemes, customer behavior tracking systems, etc. Why does that matter? It matters, because these systems may have some sort of access to card data. Or, simply because when PCI DSS says your VoIP is in scope, you need to look at all these other systems that are connected to the network or can impact the security of the CDE, scratch your head and think magic words, such as “segmentation”.
But, how is VoIP a channel for attack vectors? Well, it is. An unlikely channel, or rather, not overtly popular yet, but a channel nevertheless. UDP provides a nice stateless connection that can be (and is) used to disguise malicious code in streaming sessions. The reason we don’t hear much about these types of attacks is because probably they just haven’t gained speed yet, or even worse, businesses are simply not aware they are happening.


Telephony systems touching card data have always been required to be in scope of PCI DSS. Up to now, they have largely been neglected or avoided altogether. This needs to change in light of all that we said so far. There are a number of pointers in the guide that are prone to raise an eyebrow, seemingly because they would ask the business to bear the brunt of some more stringent and resource-consuming alterations to technology, people and process in their organizations. Yet, with telephony systems in scope of PCI DSS, now more than ever, and the new detail provided in the November 2018 release of Supplement, owners and QSAs alike are faced with the need to come up with clever, inexpensive and doable ways to segment their VoIP systems, where possible, so they comply with PCI DSS without it costing them an arm and a leg.

What is Penetration Testing?

In the world of information security, Penetration Testing is the practice of checking and testing the organization’s network, servers and services for possible loopholes and vulnerabilities, searching for vulnerabilities that an attacker may exploit.


Penetration tester are called white hats. They perform hacking in ethical ways, without causing any damage to the computer system, thereby increasing the security perimeter of your organization.


Penetration Testing is required because it helps you highlight the flaws related to hardware and software system design and operation, and quite importantly, personnel readiness. Early identification helps protect the network and if the vulnerabilities aren’t identified early, then they become an easy intrusion point for the attacker. Continue reading “What is Penetration Testing?”

Where to Start with Your Risk Management?

Understanding and identifying risks is essential to a well-built and sustainable business. Being in touch with the threats and the ways to counter them is essential for a safer working environment.


Risk Management is the most important instrument for Information Security Governance.  It provides a framework for assessment and successful management of risks. Sadly,  this is something  usually poorly done or even neglected completely by a surprisingly large number of organizations today. Risk management allows companies to devise and implement economically viable risk counter-measures. All activities involve risks, which are in turn a derivative of threats, vulnerabilities and impact. Properly identifying weaknesses and assessing the associated risks is essential, and pays off in the long run. Continue reading “Where to Start with Your Risk Management?”

The Role and Purpose of Training & Awareness in Information Security


Do not be alarmed to find out your organization is somewhere in the first couple of levels on the diagram below.  Awareness is the first step, and you have much to gain by just educating your personnel or just yourself.



Continue reading “The Role and Purpose of Training & Awareness in Information Security”

Team Development, Internal Audit & Control 101

The development of a company’s employees is of major importance. Ultimately progress and growth are what everyone’s after, but in order for that to happen, processes, workflow and ethnicity must be all under control.

In order to create a secure operations environment, an organization needs to build its structure and staff it in line with the proper approach to the human factor in Information Security. Failing to do so usually results in lack of direction, misplaced responsibility and ultimately, operational disruptions.


THE TOP-DOWN APPROACH – Information Security is never built from the bottom up. Do not assume that everyone in the organization is tuned-in to what (and how) needs to be done regarding Information Security. The major roles are usually defined as:


Senior Management – creates information security program and ensures proper and adequate staffing and funding and has organizational priority. It is responsible for ensuring organizational assets are protected.

Continue reading “Team Development, Internal Audit & Control 101”