{"id":187,"date":"2018-12-11T16:38:00","date_gmt":"2018-12-11T16:38:00","guid":{"rendered":"https:\/\/www.7sec.com\/blog\/?p=187"},"modified":"2021-06-10T12:57:45","modified_gmt":"2021-06-10T12:57:45","slug":"protecting-telephone-based-payment-card-data","status":"publish","type":"post","link":"https:\/\/www.7sec.com\/blog\/protecting-telephone-based-payment-card-data\/","title":{"rendered":"Protecting Telephone-Based Payment Card Data"},"content":{"rendered":"\r\n<p>For those businesses that deal with card data through mail order\/telephone order (MOTO) transactions, particularly those conducting sales over the telephone, including the ones using VoIP solutions, <a href=\"https:\/\/www.pcisecuritystandards.org\" target=\"_blank\" rel=\"noreferrer noopener\">The PCI Security Standards Council<\/a> has come up with an update to the <a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/Protecting_Telephone_Based_Payment_Card_Data_v3-0_nov_2018.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Information Supplement: Protecting Telephone-Based Payment Card Data<\/a> in order to help these businesses secure card data in a manner that is consistent with <a href=\"https:\/\/www.7sec.com\/compliance\/pci-dss\/\" target=\"_blank\" rel=\"noopener\">PCI DSS<\/a>.<\/p>\r\n\r\n\r\n\r\n<p>This update emerges after over seven and a half years since the original document came into play in March 2011. It is definitely an improvement on the progenitor, inasmuch as it provides detail where said progenitor didn\u2019t. And rightly so. Although, technically speaking, not much has changed and VoIP still runs over UDP, these days we are witnessing a new, tighter integration of these systems with everything else. Including but not limited to CRMs, billing, mailing, customer reward schemes, customer behavior tracking systems, etc.<\/p>\r\n<h4>WHY DOES IT MATTER?<\/h4>\r\n<p>It matters because these systems may have some sort of access to card data. Or, simply because when PCI DSS says your VoIP is in scope, you need to look at all these other systems that are connected to the network or can impact the security of the CDE, scratch your head, and think of magic words, such as \u201csegmentation\u201d.<\/p>\r\n<h4>HOW IS VoIP A CHANNEL FOR ATTACK VECTORS?<\/h4>\r\n<p>Well, it is an unlikely channel, or rather, not overtly popular yet, but a channel nevertheless. UDP provides a nice stateless connection that can be (and is) used to disguise malicious code in streaming sessions. The reason we don\u2019t hear much about these types of attacks is they probably just haven\u2019t gained speed yet, or even worse, businesses are simply not aware they are happening.<\/p>\r\n<p>\r\n\r\n<\/p>\r\n<p>Telephone systems touching card data have always been required to be in the scope of PCI DSS. Up until now, they have largely been neglected or avoided altogether.\u00a0 In light of all we said so far, it is evident this needs to change. There are a number of pointers in the guide that are prone to raise an eyebrow, seemingly because they would ask the business to bear the brunt of some more stringent and resource-consuming alterations to technology, people, and process in their organizations.<\/p>\r\n<p>Yet, with telephony systems in scope of PCI DSS, now more than ever, and the new detail provided in the November 2018 release of Supplement, owners and QSAs alike are faced with the need to come up with clever and doable ways to segment their VoIP systems, where possible, so they comply with PCI DSS without it costing them an arm and a leg.<\/p>\r\n<p><\/p>","protected":false},"excerpt":{"rendered":"<p>For those businesses that deal with card data through mail order\/telephone order (MOTO) transactions, particularly those conducting sales over the telephone, including the ones using VoIP solutions, The PCI Security Standards Council has come up with an update to the Information Supplement: Protecting Telephone-Based Payment Card Data in order to help these businesses secure card &hellip; <a href=\"https:\/\/www.7sec.com\/blog\/protecting-telephone-based-payment-card-data\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Protecting Telephone-Based Payment Card Data&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[2,5],"tags":[21,22,23,17,24,25],"class_list":["post-187","post","type-post","status-publish","format-standard","hentry","category-compliance","category-pci-dss","tag-cardholder-data","tag-moto","tag-payments","tag-pci-dss","tag-telephone-payments","tag-voip"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Protecting Telephone-Based Payment Card Data - Information Security Blog - 7Security<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.7sec.com\/blog\/protecting-telephone-based-payment-card-data\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Protecting Telephone-Based Payment Card Data - Information Security Blog - 7Security\" \/>\n<meta property=\"og:description\" content=\"For those businesses that deal with card data through mail order\/telephone order (MOTO) transactions, particularly those conducting sales over the telephone, including the ones using VoIP solutions, The PCI Security Standards Council has come up with an update to the Information Supplement: Protecting Telephone-Based Payment Card Data in order to help these businesses secure card &hellip; Continue reading &quot;Protecting Telephone-Based Payment Card Data&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.7sec.com\/blog\/protecting-telephone-based-payment-card-data\/\" \/>\n<meta property=\"og:site_name\" content=\"Information Security Blog - 7Security\" \/>\n<meta property=\"article:published_time\" content=\"2018-12-11T16:38:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-06-10T12:57:45+00:00\" \/>\n<meta name=\"author\" content=\"madmin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"madmin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.7sec.com\/blog\/protecting-telephone-based-payment-card-data\/\",\"url\":\"https:\/\/www.7sec.com\/blog\/protecting-telephone-based-payment-card-data\/\",\"name\":\"Protecting Telephone-Based Payment Card Data - Information Security Blog - 7Security\",\"isPartOf\":{\"@id\":\"https:\/\/www.7sec.com\/blog\/#website\"},\"datePublished\":\"2018-12-11T16:38:00+00:00\",\"dateModified\":\"2021-06-10T12:57:45+00:00\",\"author\":{\"@id\":\"https:\/\/www.7sec.com\/blog\/#\/schema\/person\/1abb37c561f43ccf0296b04701971f65\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.7sec.com\/blog\/protecting-telephone-based-payment-card-data\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.7sec.com\/blog\/#website\",\"url\":\"https:\/\/www.7sec.com\/blog\/\",\"name\":\"Information Security Blog - 7Security\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.7sec.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.7sec.com\/blog\/#\/schema\/person\/1abb37c561f43ccf0296b04701971f65\",\"name\":\"madmin\",\"sameAs\":[\"https:\/\/www.7sec.com\/blog\"],\"url\":\"https:\/\/www.7sec.com\/blog\/author\/madmin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Protecting Telephone-Based Payment Card Data - Information Security Blog - 7Security","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.7sec.com\/blog\/protecting-telephone-based-payment-card-data\/","og_locale":"en_US","og_type":"article","og_title":"Protecting Telephone-Based Payment Card Data - Information Security Blog - 7Security","og_description":"For those businesses that deal with card data through mail order\/telephone order (MOTO) transactions, particularly those conducting sales over the telephone, including the ones using VoIP solutions, The PCI Security Standards Council has come up with an update to the Information Supplement: Protecting Telephone-Based Payment Card Data in order to help these businesses secure card &hellip; Continue reading \"Protecting Telephone-Based Payment Card Data\"","og_url":"https:\/\/www.7sec.com\/blog\/protecting-telephone-based-payment-card-data\/","og_site_name":"Information Security Blog - 7Security","article_published_time":"2018-12-11T16:38:00+00:00","article_modified_time":"2021-06-10T12:57:45+00:00","author":"madmin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"madmin","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.7sec.com\/blog\/protecting-telephone-based-payment-card-data\/","url":"https:\/\/www.7sec.com\/blog\/protecting-telephone-based-payment-card-data\/","name":"Protecting Telephone-Based Payment Card Data - Information Security Blog - 7Security","isPartOf":{"@id":"https:\/\/www.7sec.com\/blog\/#website"},"datePublished":"2018-12-11T16:38:00+00:00","dateModified":"2021-06-10T12:57:45+00:00","author":{"@id":"https:\/\/www.7sec.com\/blog\/#\/schema\/person\/1abb37c561f43ccf0296b04701971f65"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.7sec.com\/blog\/protecting-telephone-based-payment-card-data\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.7sec.com\/blog\/#website","url":"https:\/\/www.7sec.com\/blog\/","name":"Information Security Blog - 7Security","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.7sec.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.7sec.com\/blog\/#\/schema\/person\/1abb37c561f43ccf0296b04701971f65","name":"madmin","sameAs":["https:\/\/www.7sec.com\/blog"],"url":"https:\/\/www.7sec.com\/blog\/author\/madmin\/"}]}},"_links":{"self":[{"href":"https:\/\/www.7sec.com\/blog\/wp-json\/wp\/v2\/posts\/187","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.7sec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.7sec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.7sec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.7sec.com\/blog\/wp-json\/wp\/v2\/comments?post=187"}],"version-history":[{"count":9,"href":"https:\/\/www.7sec.com\/blog\/wp-json\/wp\/v2\/posts\/187\/revisions"}],"predecessor-version":[{"id":319,"href":"https:\/\/www.7sec.com\/blog\/wp-json\/wp\/v2\/posts\/187\/revisions\/319"}],"wp:attachment":[{"href":"https:\/\/www.7sec.com\/blog\/wp-json\/wp\/v2\/media?parent=187"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.7sec.com\/blog\/wp-json\/wp\/v2\/categories?post=187"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.7sec.com\/blog\/wp-json\/wp\/v2\/tags?post=187"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}