SIP Trunks PCI compliance paired with agile and cost-effective telephony
What is PCI DSS compliance? What does this mean for you? The Payment Card Industry Data Security Standard (PCI DSS) is the proprietary information security standard defined by the major card companies to help combat fraud and protect consumer card data. Its members include Visa, MasterCard, American Express, Discover and JCB. PCI DSS applies to all organisations that store, process or transmit cardholder information, from any of these members cards. The type of annual assessment required varies according to level, which is defined according to the volume of payment transactions that are handled. Level 1 organisations, with over six million payment transactions per year, must have their annual compliance assessment carried out by an Independent Qualified Security Assessor (QSA). Those handling between one and six million payment transactions are classed as Level 2 and can receive sign-off from an Internal Security Assessor (ISA), while the majority of companies with less than 1 million payment transactions per year are classed as Level 3 or Level 4 and are able to use a Self-Assessment Questionnaire (SAQ). The current version of the standard (v3.1 since June 2015) specifies 12 requirements, organised into six Control Objectives. Control Objective Build and maintain a secure network and systems Protect cardholder data Maintain a vulnerability management programme Implement strong access control measures PCI DSS Requirement 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendorsupplied defaults for system password and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Protect all systems against malware and regularly update anti-virus software or programmes 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data SIP with Semafone from Gamma provides secure voice transactions for businesses taking Cardholder Not Present (CNP) payments. It can sometimes seem an impossible task protecting your business from external and internal threats. You must make sure you ve sealed any cracks in your infrastructure to prevent a data breach and if you take payments over the phone, you also need to make sure that no sensitive card data leaks from your telephony infrastructure into your IT environment. Of course, the Payment Card Industry Data Security Standards (PCI DSS) are ultimately on your side. Protecting your customers from fraud also protects your business from the reputational and financial damage that could result from a data security incident. With 327 controls to consider in total, it is vital to ensure you have them all ticked. The effects of being non-compliant can be disastrous for a business due to the very real financial risk of opportunistic agent fraud and the associated reputational risks. Some of these include: Compromising your customers payment data Damage to your brand and reputation Expensive lawsuits Insurance claims Lost customers Payment card user fines Government fines Damaged reputation If the mention of PCI DSS compliance leaves you all at sea, you are not alone... Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes The most effective and painless way of complying with PCI DSS is to minimise, or eliminate altogether, the customer card data held in the merchant s infrastructure Maintain an information security policy 12. Maintain a policy that addresses information security for all personnel 2 / / 3
PCI compliance - why pause and resume is not sufficient Our solution SIP with Semafone from Gamma provides secure voice transactions for contact centres and retailers taking Cardholder Not Present (CNP) payments. In Scope for PCI DSS Telephony As you can see, with no protection against the risks of opportunistic agent fraud there are many stones left unturned. But it is important to ensure you have the right product to address all of the risks rather than paying out for a product which leaves your business still vunerable. You may also be interested to learn that some merchants find pause and resume is not compliant with the standards expected from the Financial Conduct Authority (FCA) unlike this solution. Infrastructure Physical Merchant Environment Payment Service Provider Confidential 4 Our solution combines next generation telephony with award-winning PCI compliance. Both aspects will work to make your business more agile, productive and flexible. Semafone is provided via our Gamma network through your SIP trunks and allows both a call and the call recording to continue as normal while the customer enters their credit card information using their telephone keypad. For complete security, our technology masks the Dual Tone Multi-Frequency (DTMF) tones from the cardholder s telephone and replaces them with a flat tone so they can t be recognised or recorded. It ensures all card data remains segregated and removes Sensitive Authentication Data (SAD) before it hits the call recorder, taking you out of the scope of PCI DSS. As a result of this combined solution, you will be deemed to have outsourced your payment process for PCI DSS purposes, as you will not have handled any cardholder data. This takes you out of scope for many of the controls usually required to remain PCI DSS compliant. In Scope for PCI DSS Telephony It s time to stop wasting money on partial solutions such as pause and resume which only address a single aspect of the problem. Pause and resume is a common choice to try and remain compliant. See here why this option just isn t substantial enough to protect your business from all of the risks associated with taking Cardholder Not Present payments over the telephone. See the risks highlighted in red while the limited protection offered by pause and resume is highlighted in green. Infrastructure Physical Merchant Environment Payment Service Provider Confidential 4 / / 5
The results of SIP with Semafone As you can see below, with the addition of SIP with Semafone, the controls have been addressed and all components in your environment downstream of the hosted solution are de-scoped (highlighted in green). Taking these areas out of scope for PCI DSS compliance reduces the number of controls from 327 to 14. These remaining controls can be satisfied by providing your QSA with evidence of you managing your service provider. How does it work? Gamma SIP Trunking is a direct replacement for ISDN and connects your PBX to Gamma s network, enabling full PSTN breakout on the public telephone network. Connection from your site (or sites) to our network is via an IP connection (for example broadband or Ethernet) and is delivered as an end-to-end service with an availability guarantee, voice channel guarantees and voice Quality of Service. Semafone is deployed via SIP Trunks and so is completely outsourced. By capturing and transmitting card data, SIP with Semafone is in scope for PCI DSS. It is deployed within the infrastructure of your telephony rather than being deployed physically at your premises. Out of Scope for PCI DSS Telephony Gamma Network Voice & DTMF Caller DTMF Tone Masking In Scope for PCI DSS Infrastructure PSP Gamma SIP Trunks Physical Merchant Environment PCI Secure Zone Customer Premises Payment Service Provider DTMF MASKED NO CARD DATA IVR Card Data Not Present PBX Call Recording Call and Screen Recorder Data Network VoIP on Network VOIP Data Networks Data Networks Now out of scope for PCI DSS 6 / / 7
Why choose SIP with Semafone from Gamma? Flexibility with phone numbers SIP trunking enables you to move office and keep the same geographic number without any ongoing callforwarding costs or those associated with producing new company stationery. PCI compliance SIP with Semafone from Gamma can vastly reduce the cost of being PCI complaint, can give your customers reassurance and protect your business whilst reducing the risk of fraud. Line rationalisation For businesses with multiple sites, SIP trunking provides the opportunity for line rationalisation and reduces the number of PBXs you need to maintain while retaining full control of the numbers associated with your business. Save money IP connectivity costs less than ISDN with lower call costs, free internal calls between extensions and offices and lower line rental costs for multi-sites. Also, no expensive call-forwarding costs are required should you relocate or need to divert calls in the event of a disaster. In addition to this, the built-in Semafone solution considerably reduces the cost of remaining PCI DSS compliant (by up to 80%) - not to mention the potential cost of large fines if you get caught out being uncompliant! Customer service With zero negative impact on staff working conditions and complete flexibility and assurance for your customers and staff, this will contribute to you being able to maintain an outstanding level of customer service. One supplier for both telephony and PCI compliance If your business has both of these requirements then it makes both financial and business efficiency sense to unify your providers. This will give you one port of call for both functions. Business continuity If your office has to be temporarily relocated in an emergency, this can be achieved quickly and costeffectively with SIP trunking to keep your business working. Improved internal processes Clean room restrictions, such as the banning of mobile phones, the searching of employees and in some instances pens and paper, can be both dehumanising and stressful for employees. With our DTMF masking solution these restrictions can be lifted, leaving the employee free to focus on their customers. Additionally many contact centres have implemented omnichannel strategies that include social media as part of their customer relations. 8 / / 9
Who is SIP with Semafone aimed at? Our solution is a flexible and adaptable option and can save money and increase productivity for various businesses requiring PCI DSS compliance and agile telephony On the high-street and online, fraud prevention technologies and services are already well developed; encryption exists to segregate card data between Chip and PIN devices and Point of Sale machines, and payment pages can be hosted by your Payment Service Provider (PSP) - however, neither of these approaches can be deployed by the call centre for telephone payments, whose vulnerabilities fall into four distinct areas: The physical call centre environment Call and screen recordings VoIP and telephony network Agent desktops and data network SIP with Semafone is suitable for any size of business from small businesses to large enterprises and government organisations that currently have a PBX or unified communications solution. In particular, PCI DSS applies to all organisations that store, process or transmit cardholder information. 10 / / 11
VOICE DATA MOBILE CONVERGENC Tel 0333 014 0111 Email gbc.marketing@gamma.co.uk Web www.gamma.co.uk We re a certified Carbon Neutral* Company. This means you can demonstrate green credentials yourself. By working with us you have a solution that not only helps the environment but also enables you to become greener and conform to new Government environmental policies. GS-09/15