Many organizations have transitioned away from traditional analog phone lines to Voice over Internet Protocol (VoIP). With a VoIP network, voice phone calls are converted into packets of data. These packets travel like any other type of data, such as e-mail, over the public Internet and/or any private network. Because VoIP uses this protocol, it can be vulnerable to attacks against public networks and it can create opportunities for eavesdroppers.
What impact does this have on your PCI compliance program?
If you have merchants accepting cardholder data over a VoIP telephone, this can unfortunately expand your organization’s PCI DSS scope.
The PCI Security Standards Council (PCI SSC) FAQ 1153 explains:
“PCI DSS requirements apply wherever account data is stored, processed, or transmitted. While the PCI DSS does not explicitly reference the use of VoIP, VoIP traffic that contains cardholder data is in scope for applicable PCI DSS controls, in the same way that other IP network traffic containing cardholder data would be.”
Basically, the PCI SSC is stating that a VoIP network is just a network. If it supports the transmission of cardholder data, then the same PCI DSS requirements apply that are applicable to any IP-based network supporting computers or terminals used for handling payments. This means that any merchants using VoIP phones and having customers speak or enter cardholder information are in scope for PCI. Common examples include call center operations, as well as merchants taking payments for registration, events, merchandise, tuition, dining, etc.
Due to a need to apply limited resources to higher priority areas (i.e. those that involve a larger percentage of transactions), many organizations have taken a risk-based approach and focused on other PCI compliance gaps, like reducing or eliminating the entry of cardholder information via workstations. VoIP being in scope for PCI is not new, however, there has been a recent focus on this particular area due to many organizations fully transitioning away from analog phone lines, along with increased attention from the PCI SSC. Many organizations that have worked diligently to reduce risk and eliminate their PCI scope through the use of validated P2PE solutions and outsourced e-commerce now find themselves back in scope and needing to complete a Self-Assessment Questionnaire (SAQ) D due to a recently transitioned VoIP network.
Can an organization be PCI compliant with a VoIP network? What exactly is in scope?
It can be difficult to determine what exactly must be implemented in order to secure a VoIP network when taking payment card information over the phone. The PCI SSC issued an Information Supplement: Protecting Telephone-Based Payment Card Data in November of 2018. (View that Supplement here).
The transmission of any customer cardholder data (CHD) over VoIP, as well as any recording/storage of that transmission, has been designated in scope for PCI. The scope starts with any people, processes, or technology that interacts with cardholder data or affects the security of cardholder data, but it also includes components that reside in the same environment as in-scope components. Any system that can be controlled by the merchant (e.g., hard phones, call managers, switches, gateways, etc.) is technically in scope and anything beyond that is out of the merchant’s control and can be deemed out of scope. The organization can’t control the outbound and inbound traffic to/from its telecommunications provider, so this is not in scope for PCI.
To properly scope your environment, start with a determination of any call recordings containing cardholder data, as this would dramatically increase your PCI DSS compliance burden and risk, as well as immediately disqualify the organization from eligibility to complete a reduced SAQ. If there is no legitimate business need to store payment card data, avoid storing this information in your environment. If the phone conversations have to be recorded for other business reasons, it may be possible to use a system that allows your staff to stop and start call recording to prevent data from being stored. If pause-and-resume technology is used for call recordings, it is recommended that, on a regular basis, you verify that the call recordings do not contain sensitive data.
There is also an added complication when VoIP “soft” phones are in place. These are phones that connect to the computer instead of using a dedicated VoIP handset. Such implementations bring the computer, its network, and other devices on that same network segment into scope. The logistical challenge of segmenting any part of the VoIP environment from both overall network infrastructure and other VoIP segments not used to accept cardholder data can make it difficult to avoid an increase to PCI scope. There is no simple solution to this challenge, much like there is no simple solution to the fact that any core network infrastructure that supports both general campus and PCI traffic is itself technically in PCI scope.
With the shift to remote work environments, organizations may also need to evaluate the additional risks associated with processing account data in unsecured locations and home offices. All staff should be made fully aware of the risks related to remote working and what is required to maintain the ongoing security of systems, processes, and equipment, including the processing of telephone-based payment card data. Staff members should not be taking payment information over their personal mobile devices, through unsecured VoIP telephones, or using messaging clients like Jabber and/or Microsoft Teams.
What options are available?
To help understand what impact VoIP might have on your compliance program, you can start by surveying the merchant environments to identify which merchants are accepting payment card information over the phone, if there are any calls being recorded, the volume of transactions, alternative options available for payment, etc. (Connect with your Customer Advocate team for CampusGuard’s “Merchant Survey” template.)
Once an organization has a clear picture of the merchants that may be accepting payments over a VoIP network, the PCI Team can work to determine a path forward. Some of the solutions include the following:
- Evaluate the need to collect payment information over the phone and discontinue taking phone-based payment card transactions where possible. If it is not a key payment channel for the merchant, the best answer might be to cease support for telephone-based transactions, and instead redirect customers to other supported payment channels, such as face-to-face or e-commerce.
- Continue to provide analog-based technology for those areas that are accepting payment card information over the phone. Some organizations are able to keep or re-install plain old telephone service (POTS) lines, or copper, in those locations that need to process cardholder data over the telephone. (Note: this may not always be an option based on existing telecom environments.)
- For those areas that are accepting payment card information over the phone, provide dedicated, cellular phones that are issued by the organization and are only used for taking customer payment card transactions. Establish a program which allows merchants to request and purchase cellular phones for use in their environments as needed.
- Outsource a portion of the voice environment to a cloud-based third-party service provider. If the VoIP-based card data processing, transmission, or storage services are outsourced to service providers such as call centers, ensure that the service provider complies with all PCI DSS compliance requirements. Be sure you understand where the responsibility of each service provider for securing the infrastructure starts and ends; using data flow diagrams with clear demarcation points allows for easy visibility.
- Use a third party service provider to assist with Interactive Voice Response (IVR) and/or Dual Tone Multi-Frequency (DTMF) suppression functionality for the actual taking/entering of customer payment card information. This option can be expensive, but may be worth reviewing to determine what may be available for your merchant environments.
- Secure and maintain the organization’s VoIP network. As discussed above, if you decide to implement and maintain a compliant VoIP network, you will need to refer to the SAQ D and determine applicable controls that must be put in place.
What if all voice traffic is encrypted?
If you opt to secure and maintain a VoIP network, encryption is just one of the many requirements that must be met. However, if a third-party is managing the encryption process and keys, this may allow you to outsource some of the PCI compliance responsibility. In regards to encryption of VoIP traffic, the PCI Council has two FAQs that are applicable:
FAQ 1086 tells us that the endpoints that perform encryption are themselves in scope.
FAQ 1233 tells us that third parties who do not have any access to, or control over, the encryption/decryption keys may be able to define the encrypted data as out of scope. This would only be relevant if a third-party telephony provider is responsible for the day-to-day management of any equipment used to perform encryption of the voice traffic, and if the organization has zero access to that encryption/decryption process. Such a model would, however, mean that the third party would be a formal PCI DSS service provider that should be fully managed under requirements 12.8.1 through 12.8.5.
As technology continues to improve, we predict there will be improvements and changes in the offerings from third-party service providers providing secure VoIP networks that can help organizations achieve and maintain PCI compliance. Consult with your Customer Advocate team to help review and evaluate possible solutions for outsourcing or securing and maintaining a compliant VoIP network.
Some additional guidance from the CampusGuard Security Advisor Team:
[King]: Many organizations spend initial efforts tackling the highest risk areas in their environments, leaving VOIP systems toward the bottom of the priority list. Once organizations have addressed higher risk areas and begin considering security controls for VOIP systems they may find the activity to be challenging. Solutions on the market have differing approaches to securing voice transmissions and reducing risk, so comparing them may feel like comparing apples to oranges. Choosing a solution that both reduces risk and fits within an organization’s resource constraints should include input from business units, finance, and technology staff to ensure the system meets the needs of all stakeholders. Your CampusGuard team is a valuable resource to include in discussions as your organization assesses the available options. Contact us now!