Protecting Telephone-Based Payment Card Data

For those businesses that deal with card data through mail order/telephone order (MOTO) transactions, particularly those conducting sales over the telephone, including the ones using VoIP solutions, The PCI Security Standards Council has come up with an update to the Information Supplement: Protecting Telephone-Based Payment Card Data in order to help these businesses secure card data in a manner that is consistent with PCI DSS.

This update emerges after over seven and a half years since the original document came into play in March 2011. It is definitely an improvement on the progenitor, inasmuch as it provides detail where said progenitor didn’t. And rightly so. Although, technically speaking, not much has changed and VoIP still runs over UDP, these days we are witnessing a new, tighter integration of these systems with everything else. Including but not limited to CRMs, billing, mailing, customer reward schemes, customer behavior tracking systems, etc.

WHY DOES IT MATTER?

It matters because these systems may have some sort of access to card data. Or, simply because when PCI DSS says your VoIP is in scope, you need to look at all these other systems that are connected to the network or can impact the security of the CDE, scratch your head, and think of magic words, such as “segmentation”.

HOW IS VoIP A CHANNEL FOR ATTACK VECTORS?

Well, it is an unlikely channel, or rather, not overtly popular yet, but a channel nevertheless. UDP provides a nice stateless connection that can be (and is) used to disguise malicious code in streaming sessions. The reason we don’t hear much about these types of attacks is they probably just haven’t gained speed yet, or even worse, businesses are simply not aware they are happening.

Telephone systems touching card data have always been required to be in the scope of PCI DSS. Up until now, they have largely been neglected or avoided altogether.  In light of all we said so far, it is evident this needs to change. There are a number of pointers in the guide that are prone to raise an eyebrow, seemingly because they would ask the business to bear the brunt of some more stringent and resource-consuming alterations to technology, people, and process in their organizations.

Yet, with telephony systems in scope of PCI DSS, now more than ever, and the new detail provided in the November 2018 release of Supplement, owners and QSAs alike are faced with the need to come up with clever and doable ways to segment their VoIP systems, where possible, so they comply with PCI DSS without it costing them an arm and a leg.