Online and mobile payments get all the press, but plenty of card-not-present payments still originate from telephone orders. The security threats from such orders are changing, which prompted the PCI Security Standards Council to issue an update Wednesday to guidance it first produced seven years ago for protecting phone-based payments.
The guidance does not add to or supersede any current requirements in the Payment Card Industry data-security standard, the PCI Council’s main set of rules for merchants, processors, and other entities that handle general-purpose credit and debit card data. It was developed by one of the council’s so-called special interest groups, which consist of representatives of companies and other organizations concerned with a specific security issue. In this case, the guidance came from the Protecting Telephone-Based Payment Card Data Special Interest Group.
“Since the publication of the original document in 2011, the marketplace for telephone-based payment card solutions has changed from a risk, legal-regulatory, and technology aspect,” Jean-Louis LaMacchia, standards development manager at the Wakefield, Mass.-based PCI Council and the telephone SIG’s chairperson, said in a blog post. “With EMV chip technology securing card-present transactions, criminals are increasingly looking to exploit card-not-present channels such as mail-order/telephone-order and e-commerce. Because telephone-based payments now represent an area of opportunity for fraud, entities need to properly evaluate and protect their telephone-based payment environments.”
LaMacchia said changes in regulations and consumer-protection laws have resulted in more recorded customer conversations, “which may result in unnecessary storage of payment card data information. In general, no payment card data should ever be stored unless necessary to meet the needs of the business.”
Unique and changing technology also prompted the SIG to take a new look at how to better protect telephone payments. “Telephone environments often use technologies and solutions not found in other types of environments, such as voice-masking technologies,” LaMacchia said. “Additionally, traditional analogue-based telephony systems are being phased out by many organizations and replaced by Voice over Internet Protocol (VoIP) technology, and entities need to understand the impact of this evolution.”
New technologies and payment channels developed since 2011 “are increasing the scope of the cardholder data environment—and creating some uncertainty and compliance challenges for contact centers,” said Ben Rafferty, a member of the telephone SIG who is global solutions director at Semafone, a United Kingdom-based data-protection software provider for customer contact centers with U.S. headquarters in Boston. He added in an email message that “we hope to provide clarity on securing these critical payment channels.”