DOCSLIB.ORG

Protecting Telephone-Based Payment Card Data

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Protecting Telephone-Based Payment Card Data Version: 3.0 Date: November 2018 Author: Protecting Telephone-Based Payments Special Interest Group PCI Security Standards Council Information Supplement: Protecting Telephone-Based Payment Card Data Information Supplement • Protecting Telephone-Based Payment Card Data • November 2018 Document Changes Date Document Version Description March 2011 2.0 Initial release. November 2018 3.0 Updated by PCI Special Interest Group. The intent of this document is to provide supplemental information. Information provided here does not i replace or supersede requirements in any PCI SSC Standard. Information Supplement • Protecting Telephone-Based Payment Card Data • November 2018 Contents Document Changes .................................................................................................................................................. i 1. Introduction ........................................................................................................................................................ 1 1.1 Objective ....................................................................................................................................................... 1 1.2 Audience ....................................................................................................................................................... 1 1.3 Using the document ...................................................................................................................................... 2 1.4 Terminology................................................................................................................................................... 3 2 Setting the Stage ............................................................................................................................................... 4 2.1 The Risk of Fraud .......................................................................................................................................... 4 2.2 People, Process, and Technology ................................................................................................................ 4 2.3 PCI DSS Applicability to Telephony Environments ....................................................................................... 4 2.3.1 Simple Telephone Environments............................................................................................................ 5 2.3.2 Complex Telephone Environments ........................................................................................................ 8 2.4 Telephony Considerations and Demarcation Points ................................................................................... 13 2.5 Systems and Networks Mistakenly Excluded from Scope .......................................................................... 15 2.6 Compliance validation ................................................................................................................................. 16 3 People ....................................................................................................................................................... 17 3.1 Risks and Guidance in Simple Telephone Environments ........................................................................... 17 3.2 Additional Risks and Guidance in Complex Telephone Environments ....................................................... 17 4 Process ....................................................................................................................................................... 19 4.1 Risks and Guidance in Simple Telephone Environments ........................................................................... 19 4.2 Additional Risks and Guidance in Complex Telephone Environments ...................................................... 19 5 Technology ....................................................................................................................................................... 21 5.1 Risks and Guidance in Simple Telephone Environments ........................................................................... 21 5.2 Additional Risks and Guidance in Complex Telephone Environments ....................................................... 22 5.2.1 Securing IT Infrastructure ..................................................................................................................... 22 5.2.2 Architectural Aspects ............................................................................................................................ 24 5.2.3 Desktop Systems .................................................................................................................................. 24 5.2.4 Softphones............................................................................................................................................ 24 5.2.5 Dual-Tone Multi-Frequency (DTMF) .................................................................................................... 24 5.2.6 Voice and Screen Recordings .............................................................................................................. 25 6 Approach to Scoping and Securing Telephone Environments .................................................................. 27 6.1 “No Cardholder Data Environment” Approach and Other Forms of Scope Reduction ............................... 28 6.2 Technologies, Overview, and Classifications .............................................................................................. 29 6.2.1 Attended Transactions .......................................................................................................................... 29 6.2.2 Unattended Transactions ..................................................................................................................... 30 6.3 Digital-based Attended and Unattended Solutions ..................................................................................... 31 6.4 Telephone-based Attended and Unattended Technologies ....................................................................... 32 6.4.1 Attended Telephony Technologies ....................................................................................................... 32 6.4.2 Unattended Telephony Technologies ................................................................................................... 35 The intent of this document is to provide supplemental information. Information provided here does not ii replace or supersede requirements in any PCI SSC Standard. Information Supplement • Protecting Telephone-Based Payment Card Data • November 2018 6.5 Other Common Forms of Scope Reduction ................................................................................................ 36 6.5.1 Pause-and-Resume .............................................................................................................................. 36 6.5.2 Outsourcing to a Specialist Third-party Service Provider ..................................................................... 38 6.5.3 Physical Segmentation ......................................................................................................................... 38 6.6 Additional Considerations ........................................................................................................................... 40 7 Third-party Service Providers ........................................................................................................................ 42 7.1 Impact on Scope ......................................................................................................................................... 42 7.2 Common Telephony-related Services ......................................................................................................... 43 7.2.1 Private Branch Exchange (PBX) Services ........................................................................................... 43 7.2.2 SIP Trunking ......................................................................................................................................... 43 7.2.3 Interactive Voice Response (IVR) ........................................................................................................ 43 7.2.4 Fraud Detection/Monitoring .................................................................................................................. 43 7.2.5 Voice Analytics ..................................................................................................................................... 43 7.2.6 Call Recording ...................................................................................................................................... 44 Appendix A: Glossary / Terminology ............................................................................................................... 46 Appendix B: Document Quick-reference Guide .............................................................................................. 49 Appendix C: Payment Call Environment-identification Tree ......................................................................... 50 Appendix D: Call Recording Decision-making Process ................................................................................. 51 D.1 Flowchart ..................................................................................................................................................... 51 D.2 Regarding SAD in
Load more

Recommended publications
  • Webrtc and XMPP
    webRTC and XMPP Philipp Hancke, XMPP Summit 2013 What is this webRTC thing … …and why should XMPP developers care? . I assume you know what XMPP is… . … you might have heard of Jingle . the XMPP framework for establishing P2P sessions . used for VoIP, filesharing, … . … you might have also heard about this webRTC thing . doing VoIP in the browser . without plugins . „no more flash“ . Do you want to know how it relates to XMPP ? Philipp Hancke © ESTOS GmbH 2013 2 What is webRTC? . P2P sessions between browsers . no servers involved in media transfer . using open standards . Javascript API in the browser . also an BSD-licensed C++ library from Google . Want to know more? . Listen to the evangelists! . Justin Uberti http://www.youtube.com/watch?v=E8C8ouiXHHk . Jose de Castro http://vimeo.com/52510068 . Cullen Jennings http://vimeo.com/cullenfluffyjennings/rtcwebexplained Philipp Hancke © ESTOS GmbH 2013 3 Initiating P2P sessions . initiate a P2P session between two browsers . negotiate media codecs, NAT traversal, etc . media is sent P2P . you need a session initiation protocol . SIP? . JSEP? . H.323? . Jingle! . webRTC does not mandate a signalling protocol . WG decision Philipp Hancke © ESTOS GmbH 2013 4 Call Flow - JSEP Philipp Hancke © ESTOS GmbH 2013 5 Jingle . You can use Jingle as signalling protocol . together with BOSH or XMPP over websockets in the browser . Demo later . But… . webRTC uses the Session Description Protocol as an API . Jingle does not use SDP . You need a mapping SDP -> Jingle -> SDP . Complicated, but doable . Topic for breakout Philipp Hancke © ESTOS GmbH 2013 6 Call Flow - Jingle Philipp Hancke © ESTOS GmbH 2013 7 webRTC-Jingle usecases .
    [Show full text]
  • The History of the Telephone
    STUDENT VERSION THE HISTORY OF THE TELEPHONE Activity Items There are no separate items for this activity. Student Learning Objectives • I will be able to name who invented the telephone and say why that invention is important. • I will be able to explain how phones have changed over time. THE HISTORY OF THE TELEPHONE STUDENT VERSION NAME: DATE: The telephone is one of the most important inventions. It lets people talk to each other at the same time across long distances, changing the way we communicate today. Alexander Graham Bell, the inventor of the telephone CENSUS.GOV/SCHOOLS HISTORY | PAGE 1 THE HISTORY OF THE TELEPHONE STUDENT VERSION 1. Like many inventions, the telephone was likely thought of many years before it was invented, and by many people. But it wasn’t until 1876 when a man named Alexander Graham Bell, pictured on the previous page, patented the telephone and was allowed to start selling it. Can you guess what “patented” means? CENSUS.GOV/SCHOOLS HISTORY | PAGE 2 THE HISTORY OF THE TELEPHONE STUDENT VERSION 2. The picture below, from over 100 years ago, shows Alexander Graham Bell using one of his first telephones to make a call from New York to Chicago. Alexander Graham Bell making a telephone call from New York to Chicago in 1892 Why do you think it was important that someone in New York could use the telephone to talk to someone in Chicago? CENSUS.GOV/SCHOOLS HISTORY | PAGE 3 THE HISTORY OF THE TELEPHONE STUDENT VERSION 3. Today, millions of people make phone calls each day, and many people have a cellphone.
    [Show full text]
  • Title: Communicating with Light: from Telephony to Cell Phones Revision
    Title: Communicating with Light: From Telephony to Cell Phones Revision: February 1, 2006 Authors: Jim Overhiser, Luat Vuong Appropriate Physics, Grades 9-12 Level: Abstract: This series of six station activities introduces the physics of transmitting "voice" information using electromagnetic signals or light. Students explore how light can be modulated to encode voice information using a simple version of Bell's original photophone. They observe the decrease of the intensity of open-air signals by increasing the distance between source and receiver, and learn the advantage of using materials with different indices of refraction to manipulate and guide light signals. Finally, students are introduced to the concept of bandwidth by using two different wavelengths of light to send two signals at the same time. Special Kit available on loan from CIPT lending library. Equipment: Time Required: Two 80-minute periods NY Standards 4.1b Energy may be converted among mechanical, electromagnetic, Met: nuclear, and thermal forms 4.1j Energy may be stored in electric or magnetic fields. This energy may be transferred through conductors or space and may be converted to other forms of energy. 4.3b Waves carry energy and information without transferring mass. This energy may be carried by pulses or periodic waves. 4.3i When a wave moves from one medium into another, the waves may refract due a change in speed. The angle of refraction depends on the angle of incidence and the property of the medium. 4.3h When a wave strikes a boundary between two media, reflection, transmission, and absorption occur. A transmitted wave may be refracted.
    [Show full text]
  • IP Telephony Fundamentals: What You Need to Know to “Go to Market”
    IP Telephony Fundamentals: What You Need to Know to “Go To Market” Ken Agress Senior Consultant PlanNet Consulting What Will Be Covered • What is Voice over IP? • VoIP Technology Basics • How Do I Know if We’re Ready? • What “Real” Cost Savings Should I Expect? • Putting it All Together • Conclusion, Q&A 2 What is Voice Over IP? • The Simple Answer – It’s your “traditional” voice services transported across a common IP infrastructure. • The Real Answer – It’s the convergence of numerous protocols, components, and requirements that must be balanced to provide a quality voice experience. 3 Recognize the Reality of IP Telephony • IP is the catalyst for convergence of technology and organizations • There are few plan templates for convergence projects • Everybody seems to have a strong opinion • Requires an educational investment in the technology (learning curve) – Requires an up-front investment in the technology that can be leveraged for subsequent deployments • Surveys indicate deployment is usually more difficult than anticipated • Most implementations are event driven (that means there is a broader plan) 4 IP Telephony vs. VoIP • Voice over IP – A broad technology that encompasses many, many facets. • IP Telephony – What you’re going to implement to actually deliver services across your network – Focuses more on features than possibilities – Narrows focus to specific implementations and requirements – Sets appropriate context for discussions 5 Why Does Convergence Matter? • Converged networks provide a means to simplify support structures and staffing. • Converged networks create new opportunities for a “richer” communications environment – Improved Unified Messaging – Unified Communications – The Promise of Video • Converged networks provide methods to reduce costs (if you do things right) 6 The Basics – TDM (vs.
    [Show full text]
  • What Is the Impact of Mobile Telephony on Economic Growth?
    What is the impact of mobile telephony on economic growth? A Report for the GSM Association November 2012 Contents Foreword 1 The impact of mobile telephony on economic growth: key findings 2 What is the impact of mobile telephony on economic growth? 3 Appendix A 3G penetration and economic growth 11 Appendix B Mobile data usage and economic growth 16 Appendix C Mobile telephony and productivity in developing markets 20 Important Notice from Deloitte This report (the “Report”) has been prepared by Deloitte LLP (“Deloitte”) for the GSM Association (‘GSMA’) in accordance with the contract with them dated July 1st 2011 plus two change orders dated October 3rd 2011 and March 26th 2012 (“the Contract”) and on the basis of the scope and limitations set out below. The Report has been prepared solely for the purposes of assessing the impact of mobile services on GDP growth and productivity, as set out in the Contract. It should not be used for any other purpose or in any other context, and Deloitte accepts no responsibility for its use in either regard. The Report is provided exclusively for the GSMA’s use under the terms of the Contract. No party other than the GSMA is entitled to rely on the Report for any purpose whatsoever and Deloitte accepts no responsibility or liability or duty of care to any party other than the GSMA in respect of the Report or any of its contents. As set out in the Contract, the scope of our work has been limited by the time, information and explanations made available to us.
    [Show full text]
  • TELEPHONE TRAINING GUIDE] Fall 2010
    [TELEPHONE TRAINING GUIDE] Fall 2010 Telephone Training Guide Multi Button and Single Line Telephones Office of Information Technology, - UC Irvine 1 | Page [TELEPHONE TRAINING GUIDE] Fall 2010 Personal Profile (optional) ........................................... 10 Group Pickup (optional) ............................................... 10 Table of Contents Abbreviated Dialing (optional) ..................................... 10 Multi-Button Telephone General Description Automatic Call-Back ..................................................... 10 ....................................................................................... 3 Call Waiting .................................................................. 10 Keys and Buttons ............................................................ 3 Campus Dialing Instructions ............................ 11 Standard Preset Function Buttons .................................. 3 Emergency 911 ............................................................. 11 Sending Tones (TONE) .................................................... 4 Multi-Button Telephone Operations ................ 4 Answering Calls ............................................................... 4 Placing Calls .................................................................... 4 Transferring Calls ............................................................ 4 Inquiry Calls .................................................................... 4 Exclusive Hold ................................................................. 4
    [Show full text]
  • Copyrighted Material
    Stichwortverzeichnis A B Abstreitbarkeit 167 Bequemlichkeit 30 Adblocker 96 Bitcoin 110 – Adblock Plus 96 Blackberry 215 – Disconnect 96 Bookmarks siehe Favoriten – Ghostery 96 Browser 68, 75 – Privacy Badger 96 – Add-on 87, 90 – uBlock 97 – Apple Safari 77 Add-on – Cache 88 – Browser 87, 90 – Chromium 78 – E-Mail-Client 126 – Chronik 87 – Enigmail siehe Enigmail – Fingerprinting 85, 98 – GpgOL 137 – Google Chrome 77 – Mailvelope 130, 132 – HTML-Engine 80 – Thunderbird 139 – Hygiene 88 Adium 170 – Iceweasel 78 Advanced Programming Interface (API) 90, – Inkognito-Modus 86 182 – integrierte Suche 84 Android – Internet Explorer 77 – Android Privacy Guard (App) 156 – Konqueror 78 – K9 Mail (E-Mail-Client) 156 – Microsoft Edge 92 – OpenKeychain (App) 156 – Midori 78 – PGP 156 – Mosaic 68 – R2Mail2 (E-Mail-Client) 158 – Mozilla Firefox 68, 76 – S/MIME 156 – Netscape Navigator 68 Anonymität 206 COPYRIGHTED– Opera 77MATERIAL AOL Instant Messenger (AIM) 164 – Plug-in 87 Apple Mail – Prole (Identitäten) 87 – PGP 145 – Synchronisation von Einstellungen – S/MIME 155 86 Authentizierung 167, 169, 176, 179 – Web (Epiphany) 78 – Adium 172 Buffer Overow 82 – Multifaktor- 201 Bugs 82 – Pidgin 169 Bundesamt für Sicherheit in der Informations- Authentizität 29, 54, 56 technik (BSI) 215 233 Stichwortverzeichnis C – E-Mail-Adresse 119 Caesar-Chiffre 36 – Header 121 Certicate Authority siehe Zertizierungsstelle – Provider 129, 131, 139 Chain of Trust siehe Web of Trust – Server 122 Chaos Computer Club (CCC) 133 Eingangsverschüsselung 125 Chat 161 Electronic
    [Show full text]
  • Telecommunications Provider Locator
    Telecommunications Provider Locator Industry Analysis & Technology Division Wireline Competition Bureau February 2003 This report is available for reference in the FCC’s Information Center at 445 12th Street, S.W., Courtyard Level. Copies may be purchased by calling Qualex International, Portals II, 445 12th Street SW, Room CY- B402, Washington, D.C. 20554, telephone 202-863-2893, facsimile 202-863-2898, or via e-mail [email protected]. This report can be downloaded and interactively searched on the FCC-State Link Internet site at www.fcc.gov/wcb/iatd/locator.html. Telecommunications Provider Locator This report lists the contact information and the types of services sold by 5,364 telecommunications providers. The last report was released November 27, 2001.1 All information in this report is drawn from providers’ April 1, 2002, filing of the Telecommunications Reporting Worksheet (FCC Form 499-A).2 This report can be used by customers to identify and locate telecommunications providers, by telecommunications providers to identify and locate others in the industry, and by equipment vendors to identify potential customers. Virtually all providers of telecommunications must file FCC Form 499-A each year.3 These forms are not filed with the FCC but rather with the Universal Service Administrative Company (USAC), which serves as the data collection agent. Information from filings received after November 22, 2002, and from filings that were incomplete has been excluded from the tables. Although many telecommunications providers offer an extensive menu of services, each filer is asked on Line 105 of FCC Form 499-A to select the single category that best describes its telecommunications business.
    [Show full text]
  • Voice Over Internet Protocol (VOIP): Overview, Direction and Challenges 1 U
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by International Institute for Science, Technology and Education (IISTE): E-Journals Journal of Information Engineering and Applications www.iiste.org ISSN 2224-5782 (print) ISSN 2225-0506 (online) Vol.3, No.4, 2013 Voice over Internet Protocol (VOIP): Overview, Direction And Challenges 1 U. R. ALO and 2 NWEKE HENRY FIRDAY Department of Computer Science Ebonyi State University Abakaliki, Nigeria 1Email:- [email protected] 2Email: [email protected] ABSTRACT Voice will remain a fundamental communication media that cuts across people of all walks of life. It is therefore important to make it cheap and affordable. To be reliable and affordable over the common Public Switched Telephone Network, change is therefore inevitable to keep abreast with the global technological change. It is on this basis that this paper tends to critically review this new technology VoIP, x-raying the different types. It further more discusses in detail the VoIP system, VoIP protocols, and a comparison of different VoIP protocols. The compression algorithm used to save network bandwidth in VoIP, advantages of VoIP and problems associated with VoIP implementation were also critically examined. It equally discussed the trend in VoIP security and Quality of Service challenges. It concludes by reiterating the need for a cheap, reliable and affordable means of communication that would not only maximize cost but keep abreast with the global technological change. Keywords: Voice over Internet Protocol (VoIP), Public Switched Telephone Network (PSTN), Session Initiation Protocol (SIP), multipoint control unit 1. Introduction Voice over Internet Protocol (VoIP) is a technology that makes it possible for users to make telephone calls over the internet or intranet networks.
    [Show full text]
  • Google Talk: Is It Ready for the Enterprise?
    Research Publication Date: 16 April 2009 ID Number: G00166834 Google Talk: Is It Ready for the Enterprise? David Mario Smith, James Lundy This report discusses the Google Talk instant messaging product and its suitability for enterprises. This is important for companies which are looking at alternatives to IBM and Microsoft for messaging and collaboration. Key Findings • Google Talk IM is based on the Extensible Messaging and Presence Protocol (XMPP) and Jingle protocols. • To get enterprise-level support for Google Talk, companies have to purchase the full Google Apps Premier Edition (GAPE) suite. • Enterprise users are already using the Google Talk and Gmail free services. Recommendations • Enterprises making collaboration decisions should include the Google Apps portfolio as part of an effort to compare the economics of their current incumbent provider vs. similar services provisioned in the cloud. © 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice. WHAT YOU NEED TO KNOW Enterprise instant messaging (IM) has emerged to become an infrastructure component in enterprises.
    [Show full text]
  • A Comparison Between Inter-Asterisk Exchange Protocol and Jingle Protocol: Session Time
    Engineering, Technology & Applied Science Research Vol. 6, No. 4, 2016, 1050-1055 1050 A Comparison Between Inter-Asterisk eXchange Protocol and Jingle Protocol: Session Time H. S. Haj Aliwi N. K. A. Alajmi P. Sumari K. Alieyan School of Computer Sciences Saad Al-Abdullah Academy School of Computer Sciences National Advanced IPv6 Center Universiti Sains Malaysia for Security Sciences, Kuwait Universiti Sains Malaysia Universiti Sains Malaysia [email protected] [email protected] [email protected] [email protected] Abstract—Over the last few years, many multimedia conferencing sessions. Such applications are Gtalk, Talkonaut, and Hangouts and Voice over Internet Protocol (VoIP) applications have been [7]. developed due to the use of signaling protocols in providing video, audio and text chatting services between at least two participants. II. BACKGROUND This paper compares between two widely common signaling protocols: InterAsterisk eXchange Protocol (IAX) and the extension of the eXtensible Messaging and Presence Protocol A. IAX Protocol (Jingle) in terms of delay time during call setup, call teardown, In 2004, Mark Spencer created the Inter-Asterisk eXchange and media sessions. (IAX) protocol for asterisk that performs VoIP signaling [22]. IAX is supported by a few other softswitches, (Asterisk Private Keywords-multimedia conferencing; VoIP; signaling protocols; Branch eXchange) PBX systems [23], and softphones [18]. Jingle; IAX Any type of media (Video, audio, and document conferencing) can be managed, controlled and transmitted through the I. INTRODUCTION Internet Protocol (IP) networks based on IAX protocol [25]. With the appearance of numerous multimedia conferencing IAX2 is considered to be the current version of IAX.
    [Show full text]
  • Telecommunications Electronics Technician Competency Listing
    Telecommunications Electronics Technician Competency Listing Telecommunications Electronics Technician - TCM Competency Requirements Telecommunications electronics technicians are expected to obtain knowledge of wired and wireless communications basic concepts which are then applicable to various types of voice, data and video systems. Once the CET has acquired these skills, abilities and knowledge, he or she will be able to enter employment in any part of the telecommunications field. With minimal training in areas unique to specific products, the CET should become a profitable and efficient part of the electronics-communications workforce. Telecommunications Electronics Technicians must be knowledgeable and have abilities in the following technical areas: 1.0 CABLES AND CABLING 1.1 Describe unshielded twisted pair (UTP) - List common usage locations and capabilities 1.2 Demonstrate installation and troubleshooting of RJ45/48 telephone connectors and fittings 1.3 CAT 5 wiring—Explain the differences vs.: single twisted pair and where it is most used 1.4 10 base T-explain where it is commonly used and its frequency capabilities 1.5 Describe the T568A / T568B standards 1.6 Explain how Cable TV wiring is used for data and voice services 1.7 Explain the differences between coax types RG 58, RG 59 and RG 6 1.8 Describe required grounding of electronics equipment 1.10 Describe the differences in Single and Multi-mode fiber optics 2.0 ANALOG TELEPHONY 2.1. Give a brief history of the telephone industry 2.2 Explain how basic phone systems work 2.3 Define POTS, DID, OPX, tie lines and WATS lines 2.4 Explain the benefits and usage of multiple phone lines 2.5 Define PBX and explain basic switching method 2.6 Sketch a local loop map 2.7 Define Key service units 2.8 Define Central Office and list it purposes 2.9 Explain the terms and usage of tones, loop start, ground start and wink start 2.10 Define CO, CPE.
    [Show full text]