Last month, the revised ‘Securing Telephony Payments’ document was released by the PCI SSC SIG working group. While this received much coverage, another update occurred quietly in the background, but which is just as significant; FAQ 1153 ‘How does PCI DSS apply to VoIP?’ Until now, PCI DSS and VoIP has been subjective and unclear. Given the rise in organisations using VoIP, we wanted to take a deeper dive into what this means for organisations, carriers, and its significance to PCI DSS.
The revised ‘Securing Telephony Payments’ document does not explicitly reference the use of VoIP, however this document states clearly that VoIP traffic that contains payment card account data is in scope for applicable PCI DSS controls, just as other IP network traffic containing payment card account data would be. So, what is considered in and out of scope for PCI DSS?
The update goes on to say that transmissions originating from an external source and sent to an entity’s environment are not considered within the entity’s PCI DSS scope until the traffic reaches the entity’s infrastructure. An organisation cannot control the method of inbound phone calls that their customers and other parties may make, including whether any payment card account data sent over that transmission is being adequately protected by the caller. This is the only example given where the calls are out of scope for organisations, however. Where a call is outbound (e.g. to a cardholder), internal within the organisation and externally to businesses (e.g. to payment processors,), the organisations network, and therefore VoIP transmission of calls carrying payment card information, is in scope. In short, the document confirms that where organisations have the ability to encrypt VoIP, they must.
However, encryption is just one way in which organisations can protect cardholder data. The use of DTMF suppression technologies such as Agent Assist remove telephony payments from scope altogether as none of the card holder data enters the organisation’s environment.
To discuss how PCI Pal can assist you in your compliance journey, get in contact with us.