The PCI Council has published new guidance for Call Centers handling credit cards via telephone, especially when VoIP is used, and also addresses issues surrounding the storage of recorded calls.
The document, titled “Protecting Telephone-Based Payment Card Data Information Supplement” can be found at the PCI Standards Council’s official website, here:
https://www.pcisecuritystandards.org/security_standards/documents.php
This guidance addresses several key issues related to PCI Compliance for call centers, including:
- Explanation of how the PCI-DSS applies to cardholder data stored in call recording systems;
- Recommendations for assessing risk and applicable controls of call center operations;
- Specific guidance addressing the storage of sensitive authentication data, which includes suggested methods for rendering data unavailable to meet PCI-DSS requirement 3.2;
- Guidance on some of the key considerations faced by call centers when implementing PCI-DSS requirements
Jeremy Simon, PCI QSA, CISSP, CISA
Practice Lead, PCI Compliance Services
PCI DSS Requirements
PCI DSS Requirement 5.4.1: Anti-spoofing controls such as DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) can help stop phishers from spoofing the entity’s domain and impersonating personnel.
Clarification on eCommerce Outsourcing PCI DSS requirements 6.4.3 and 11.6.1
Unpacking the New PCI DSS Password Standards
Is Your Organization Prepared for PCI DSS Automation – Requirement 10.4.1.1?
What is the PCI DSS v4 Authenticated Scanning Mandate – Requirement 11.3.1.2?
What is the PCI DSS v4.0.1 Requirement for PoLP – Requirement 7.2.5?
The New PCI DSS v4.0.1 Software Catalog Mandate – Requirement 6.3.2
How to Analyze An Attestation of Compliance (AOC)
PCI Compliance New Requirements and Targeted Risk Analysis (TRA)
RESOURCES & NEWS
Learn more about Penetration Testing and new exploits in HALOCK’s Exploit Insider.
The Dangers of Legacy Protocols
PCI Targeted Risk Analysis & DoCRA
https://www.halock.com/pci-compliance-new-requirements-and-targeted-risk-analysis/
HIPAA & Penetration Testing & Incident Response Plans
Top Threats in Healthcare
https://www.halock.com/top-cyber-threats-in-healthcare/
Cloud Security Risk Management
https://www.halock.com/prioritized-findings-and-remediation-in-cloud-security-reporting/
Penetration Testing Reports to Manage and Prioritize Risk
https://www.halock.com/a-threat-based-approach-to-penetration-test-reporting/
HALOCK is headquartered in Schaumburg, IL, in the Chicago area and advises clients on information security and conducts PCI preparedness assessment, scoping, remediation, validation, and compliance maintenance services throughout the US.
