PCI and VoIP – Do Not Pass Go
There was no specific guidance around Voice over Internet Protocol (VoIP) within the new PCI DSS version 4.0. Previous guidance from the PCI Council, however, makes it clear that any network, including a VoIP network, used to transmit, process, or receive cardholder data is fully in scope for all relevant PCI DSS requirements. This includes, but is not limited to, requirements related to network (i.e., firewalls, routers, switches), configuration and management, patching, access control, audit logging, change detection, etc.
This means that if your organization controls the VoIP network over which telephone-based payments are taking place, your organization is responsible for protecting that network and adhering to the PCI DSS requirements for the transmission of cardholder data. For organizations that have worked to reduce their PCI scope through the use of outsourced e-commerce solutions, Point to Point Encryption (P2PE) solutions, etc., bringing network infrastructure back into scope is not ideal. So, how should organization’s address VoIP as it relates to PCI?
Many organizations are lost when it comes to determining exactly how to secure VoIP networks and struggle to justify the cost of meeting the stringent requirements of the PCI DSS. Before making any decisions to cease payments over the phone, outsource technologies, or purchase expensive tools, it is important for the PCI team to fully get their arms around which merchants are taking payments over the phone and why.
The first step to understanding the scope of your VoIP environment is to assess current and future payment processes and engage your merchants, so you can then recommend the appropriate solutions and business processes that will meet PCI compliance requirements. You will need to find out from each merchant:
Are credit card payments currently taken over the phone?
What are their business needs?
Estimated number of payments collected by phone per week (volume)
Phone technology in use (i.e. personal cell phones, organizational cell phones, desk phones, Zoom, Jabber, Slack, etc.)
Phone connections (analog, network IP, etc.)
Use of workstations or laptops using dialing software (i.e. softphones)
Use of voicemail
Call recordings (manual or automatic)
Work environment (in office, remote, hybrid)
Once your organization understands the number of merchants taking payments over the phone, you can begin to review alternative options. If the volume of payments taken each month is low, could a merchant potentially just push those customers to an alternate payment method? With COVID and the shift to more e-commerce activity, customers are more comfortable than ever moving online and may have no problem accessing an e-commerce site to complete their transactions.
Once your teams have determined the scope of your VoIP environment for those areas that have a justified need to continue to accept payments over the phone—for example, call centers, foundations, development offices, etc.—the organization can then begin to determine next steps for that limited group of merchants. Options exist for encrypting the voice traffic for specific phone lines, outsourcing the VoIP management/administration of the infrastructure to a third-party, and leveraging third-party solutions like Interactive Voice Response (IVR) or Dual tone multi frequency (DTMF) technologies.
CampusGuard can help review and assess these solutions with your teams to ensure they are meeting all necessary compliance requirements and providing an efficient solution for your merchants.