Version: 3.0 Date: November 2018 Author: Protecting Telephone-Based Payments Special Interest Group PCI Security Standards Council Information Supplement: Protecting Telephone-Based Payment Card Data Information Supplement • Protecting Telephone-Based Payment Card Data • November 2018 Document Changes Date Document Version Description March 2011 2.0 Initial release. November 2018 3.0 Updated by PCI Special Interest Group. The intent of this document is to provide supplemental information. Information provided here does not i replace or supersede requirements in any PCI SSC Standard. Information Supplement • Protecting Telephone-Based Payment Card Data • November 2018 Contents Document Changes .................................................................................................................................................. i 1. Introduction ........................................................................................................................................................ 1 1.1 Objective ....................................................................................................................................................... 1 1.2 Audience ....................................................................................................................................................... 1 1.3 Using the document ...................................................................................................................................... 2 1.4 Terminology................................................................................................................................................... 3 2 Setting the Stage ............................................................................................................................................... 4 2.1 The Risk of Fraud .......................................................................................................................................... 4 2.2 People, Process, and Technology ................................................................................................................ 4 2.3 PCI DSS Applicability to Telephony Environments ....................................................................................... 4 2.3.1 Simple Telephone Environments............................................................................................................ 5 2.3.2 Complex Telephone Environments ........................................................................................................ 8 2.4 Telephony Considerations and Demarcation Points ................................................................................... 13 2.5 Systems and Networks Mistakenly Excluded from Scope .......................................................................... 15 2.6 Compliance validation ................................................................................................................................. 16 3 People ....................................................................................................................................................... 17 3.1 Risks and Guidance in Simple Telephone Environments ........................................................................... 17 3.2 Additional Risks and Guidance in Complex Telephone Environments ....................................................... 17 4 Process ....................................................................................................................................................... 19 4.1 Risks and Guidance in Simple Telephone Environments ........................................................................... 19 4.2 Additional Risks and Guidance in Complex Telephone Environments ...................................................... 19 5 Technology ....................................................................................................................................................... 21 5.1 Risks and Guidance in Simple Telephone Environments ........................................................................... 21 5.2 Additional Risks and Guidance in Complex Telephone Environments ....................................................... 22 5.2.1 Securing IT Infrastructure ..................................................................................................................... 22 5.2.2 Architectural Aspects ............................................................................................................................ 24 5.2.3 Desktop Systems .................................................................................................................................. 24 5.2.4 Softphones............................................................................................................................................ 24 5.2.5 Dual-Tone Multi-Frequency (DTMF) .................................................................................................... 24 5.2.6 Voice and Screen Recordings .............................................................................................................. 25 6 Approach to Scoping and Securing Telephone Environments .................................................................. 27 6.1 “No Cardholder Data Environment” Approach and Other Forms of Scope Reduction ............................... 28 6.2 Technologies, Overview, and Classifications .............................................................................................. 29 6.2.1 Attended Transactions .......................................................................................................................... 29 6.2.2 Unattended Transactions ..................................................................................................................... 30 6.3 Digital-based Attended and Unattended Solutions ..................................................................................... 31 6.4 Telephone-based Attended and Unattended Technologies ....................................................................... 32 6.4.1 Attended Telephony Technologies ....................................................................................................... 32 6.4.2 Unattended Telephony Technologies ................................................................................................... 35 The intent of this document is to provide supplemental information. Information provided here does not ii replace or supersede requirements in any PCI SSC Standard. Information Supplement • Protecting Telephone-Based Payment Card Data • November 2018 6.5 Other Common Forms of Scope Reduction ................................................................................................ 36 6.5.1 Pause-and-Resume .............................................................................................................................. 36 6.5.2 Outsourcing to a Specialist Third-party Service Provider ..................................................................... 38 6.5.3 Physical Segmentation ......................................................................................................................... 38 6.6 Additional Considerations ........................................................................................................................... 40 7 Third-party Service Providers ........................................................................................................................ 42 7.1 Impact on Scope ......................................................................................................................................... 42 7.2 Common Telephony-related Services ......................................................................................................... 43 7.2.1 Private Branch Exchange (PBX) Services ........................................................................................... 43 7.2.2 SIP Trunking ......................................................................................................................................... 43 7.2.3 Interactive Voice Response (IVR) ........................................................................................................ 43 7.2.4 Fraud Detection/Monitoring .................................................................................................................. 43 7.2.5 Voice Analytics ..................................................................................................................................... 43 7.2.6 Call Recording ...................................................................................................................................... 44 Appendix A: Glossary / Terminology ............................................................................................................... 46 Appendix B: Document Quick-reference Guide .............................................................................................. 49 Appendix C: Payment Call Environment-identification Tree ......................................................................... 50 Appendix D: Call Recording Decision-making Process ................................................................................. 51 D.1 Flowchart ..................................................................................................................................................... 51 D.2 Regarding SAD in