SIP Trunks. PCI compliance paired with agile and cost-effective telephony

Similar documents
How to Take your Contact Centre Out of Scope for PCI DSS. Reducing Cost and Risk in Credit Card Transactions for Contact Centres

Merchant Guide to PCI DSS

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

PCI DSS 3.2 AWARENESS NOVEMBER 2017

Navigating the PCI DSS Challenge. 29 April 2011

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Commerce PCI: A Four-Letter Word of E-Commerce

Guide for QSAs: How to secure contact center phone payments

INTEGRATED COMMUNICATIONS FOR YOUR BUSINESS: SIP TRUNK

PCI COMPLIANCE IS NO LONGER OPTIONAL

PCI Compliance: It's Required, and It's Good for Your Business

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

How to Secure Contact Center Phone Payments

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

PCI compliance the what and the why Executing through excellence

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

SIP Trunks. The cost-effective and flexible alternative to ISDN

SIP Trunks. The cost-effective and flexible alternative to ISDN

PCI DSS COMPLIANCE 101

SIP TRUNKING THE COST EFFECTIVE AND FLEXIBLE ALTERNATIVE TO ISDN

SIP trunks with Microsoft Skype For Business

Payment Card Industry Data Security Standards Version 1.1, September 2006

PCI DSS Illuminating the Grey 25 August Roger Greyling

Payment Card Industry (PCI) Data Security Standard

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

University of Sunderland Business Assurance PCI Security Policy

FAQs. The Worldpay PCI Program. Help protect your business and your customers from data theft

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

Comodo HackerGuardian PCI Approved Scanning Vendor

GUIDE TO STAYING OUT OF PCI SCOPE

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

SECURITY PRACTICES OVERVIEW

Section 1: Assessment Information

Protect Comply Thrive. The PCI DSS: Challenge or opportunity?

PCI DATA SECURITY STANDARDS VERSION 3.2. What's Next?

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

How do you manage your customers payment card details securely and responsibly? White paper PCI DSS

PCI DSS Compliance for Healthcare

in PCI Regulated Environments

A Perfect Fit: Understanding the Interrelationship of the PCI Standards

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.2)

White paper PCI DSS. How do you manage your customers payment card details securely and responsibly?

Conformance of Avaya Aura Workforce Optimization Quality Monitoring Recording Solution with the PCI Data Security Standard

PCI DSS Q & A to get you started

How to Dramatically Lower the Cost and Pain of the Yearly PCI DSS Audit

Payment Card Industry Data Security Standard (PCI DSS) Incident Response Plan

PCI Compliance. What is it? Who uses it? Why is it important?

SAQ A AOC v3.2 Faria Systems LLC

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Daxko s PCI DSS Responsibilities

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Using GRC for PCI DSS Compliance

Section 1: Assessment Information

Employee Security Awareness Training Program

UCSB Audit and Advisory Services Internal Audit Report. Credit Cards PCI Compliance. July 1, 2016

Payment Card Industry (PCI) Compliance

Self-Assessment Questionnaire A

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

PCI DSS and VNC Connect

Payment Card Industry (PCI) Data Security Standard

Introduction to the PCI DSS: What Merchants Need to Know

Data Sheet The PCI DSS

Payment Card Industry (PCI) Data Security Standard

PCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier

PCI DSS COMPLIANCE DATA

Protect Comply Thrive. The PCI DSS: Challenge or opportunity?

A QUICK PRIMER ON PCI DSS VERSION 3.0

Payment Card Industry (PCI) Data Security Standard

Google Cloud Platform: Customer Responsibility Matrix. December 2018

The Future of PCI: Securing payments in a changing world

PCI DSS and the VNC SDK

Connect. Bringing fixed and mobile communications together - anytime, anywhere

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Achieving PCI Compliance: Long and Short Term Strategies

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance

The Honest Advantage

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry - Data Security Standard (PCI-DSS)

Curatrix. How can Curatrix Communications help your business? Communications. Connecting your Business

Data Security Standard

OPERA Version 4.0+ PABP Guide and PCI Data Security Standard Adherence

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

Security and PCI Compliance for Retail Point-of-Sale Systems

Webinar: How to keep your hotel guest data secure

Will you be PCI DSS Compliant by September 2010?

Payment Card Industry (PCI) Data Security Standard

How PayPal can help colleges and universities reduce PCI DSS compliance scope. Prepared by PayPal and Sikich LLP.

COMPLETING THE PAYMENT SECURITY PUZZLE

Payment Card Industry (PCI) Data Security Standard

Projectplace: A Secure Project Collaboration Solution

The IT Search Company

Tokenisation for PCI-DSS Compliance

PCI Compliance Updates

Transcription:

SIP Trunks PCI compliance paired with agile and cost-effective telephony

What is PCI DSS compliance? What does this mean for you? The Payment Card Industry Data Security Standard (PCI DSS) is the proprietary information security standard defined by the major card companies to help combat fraud and protect consumer card data. Its members include Visa, MasterCard, American Express, Discover and JCB. PCI DSS applies to all organisations that store, process or transmit cardholder information, from any of these members cards. The type of annual assessment required varies according to level, which is defined according to the volume of payment transactions that are handled. Level 1 organisations, with over six million payment transactions per year, must have their annual compliance assessment carried out by an Independent Qualified Security Assessor (QSA). Those handling between one and six million payment transactions are classed as Level 2 and can receive sign-off from an Internal Security Assessor (ISA), while the majority of companies with less than 1 million payment transactions per year are classed as Level 3 or Level 4 and are able to use a Self-Assessment Questionnaire (SAQ). The current version of the standard (v3.1 since June 2015) specifies 12 requirements, organised into six Control Objectives. Control Objective Build and maintain a secure network and systems Protect cardholder data Maintain a vulnerability management programme Implement strong access control measures PCI DSS Requirement 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendorsupplied defaults for system password and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Protect all systems against malware and regularly update anti-virus software or programmes 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data SIP with Semafone from Gamma provides secure voice transactions for businesses taking Cardholder Not Present (CNP) payments. It can sometimes seem an impossible task protecting your business from external and internal threats. You must make sure you ve sealed any cracks in your infrastructure to prevent a data breach and if you take payments over the phone, you also need to make sure that no sensitive card data leaks from your telephony infrastructure into your IT environment. Of course, the Payment Card Industry Data Security Standards (PCI DSS) are ultimately on your side. Protecting your customers from fraud also protects your business from the reputational and financial damage that could result from a data security incident. With 327 controls to consider in total, it is vital to ensure you have them all ticked. The effects of being non-compliant can be disastrous for a business due to the very real financial risk of opportunistic agent fraud and the associated reputational risks. Some of these include: Compromising your customers payment data Damage to your brand and reputation Expensive lawsuits Insurance claims Lost customers Payment card user fines Government fines Damaged reputation If the mention of PCI DSS compliance leaves you all at sea, you are not alone... Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes The most effective and painless way of complying with PCI DSS is to minimise, or eliminate altogether, the customer card data held in the merchant s infrastructure Maintain an information security policy 12. Maintain a policy that addresses information security for all personnel 2 / / 3

PCI compliance - why pause and resume is not sufficient Our solution SIP with Semafone from Gamma provides secure voice transactions for contact centres and retailers taking Cardholder Not Present (CNP) payments. In Scope for PCI DSS Telephony As you can see, with no protection against the risks of opportunistic agent fraud there are many stones left unturned. But it is important to ensure you have the right product to address all of the risks rather than paying out for a product which leaves your business still vunerable. You may also be interested to learn that some merchants find pause and resume is not compliant with the standards expected from the Financial Conduct Authority (FCA) unlike this solution. Infrastructure Physical Merchant Environment Payment Service Provider Confidential 4 Our solution combines next generation telephony with award-winning PCI compliance. Both aspects will work to make your business more agile, productive and flexible. Semafone is provided via our Gamma network through your SIP trunks and allows both a call and the call recording to continue as normal while the customer enters their credit card information using their telephone keypad. For complete security, our technology masks the Dual Tone Multi-Frequency (DTMF) tones from the cardholder s telephone and replaces them with a flat tone so they can t be recognised or recorded. It ensures all card data remains segregated and removes Sensitive Authentication Data (SAD) before it hits the call recorder, taking you out of the scope of PCI DSS. As a result of this combined solution, you will be deemed to have outsourced your payment process for PCI DSS purposes, as you will not have handled any cardholder data. This takes you out of scope for many of the controls usually required to remain PCI DSS compliant. In Scope for PCI DSS Telephony It s time to stop wasting money on partial solutions such as pause and resume which only address a single aspect of the problem. Pause and resume is a common choice to try and remain compliant. See here why this option just isn t substantial enough to protect your business from all of the risks associated with taking Cardholder Not Present payments over the telephone. See the risks highlighted in red while the limited protection offered by pause and resume is highlighted in green. Infrastructure Physical Merchant Environment Payment Service Provider Confidential 4 / / 5

The results of SIP with Semafone As you can see below, with the addition of SIP with Semafone, the controls have been addressed and all components in your environment downstream of the hosted solution are de-scoped (highlighted in green). Taking these areas out of scope for PCI DSS compliance reduces the number of controls from 327 to 14. These remaining controls can be satisfied by providing your QSA with evidence of you managing your service provider. How does it work? Gamma SIP Trunking is a direct replacement for ISDN and connects your PBX to Gamma s network, enabling full PSTN breakout on the public telephone network. Connection from your site (or sites) to our network is via an IP connection (for example broadband or Ethernet) and is delivered as an end-to-end service with an availability guarantee, voice channel guarantees and voice Quality of Service. Semafone is deployed via SIP Trunks and so is completely outsourced. By capturing and transmitting card data, SIP with Semafone is in scope for PCI DSS. It is deployed within the infrastructure of your telephony rather than being deployed physically at your premises. Out of Scope for PCI DSS Telephony Gamma Network Voice & DTMF Caller DTMF Tone Masking In Scope for PCI DSS Infrastructure PSP Gamma SIP Trunks Physical Merchant Environment PCI Secure Zone Customer Premises Payment Service Provider DTMF MASKED NO CARD DATA IVR Card Data Not Present PBX Call Recording Call and Screen Recorder Data Network VoIP on Network VOIP Data Networks Data Networks Now out of scope for PCI DSS 6 / / 7

Why choose SIP with Semafone from Gamma? Flexibility with phone numbers SIP trunking enables you to move office and keep the same geographic number without any ongoing callforwarding costs or those associated with producing new company stationery. PCI compliance SIP with Semafone from Gamma can vastly reduce the cost of being PCI complaint, can give your customers reassurance and protect your business whilst reducing the risk of fraud. Line rationalisation For businesses with multiple sites, SIP trunking provides the opportunity for line rationalisation and reduces the number of PBXs you need to maintain while retaining full control of the numbers associated with your business. Save money IP connectivity costs less than ISDN with lower call costs, free internal calls between extensions and offices and lower line rental costs for multi-sites. Also, no expensive call-forwarding costs are required should you relocate or need to divert calls in the event of a disaster. In addition to this, the built-in Semafone solution considerably reduces the cost of remaining PCI DSS compliant (by up to 80%) - not to mention the potential cost of large fines if you get caught out being uncompliant! Customer service With zero negative impact on staff working conditions and complete flexibility and assurance for your customers and staff, this will contribute to you being able to maintain an outstanding level of customer service. One supplier for both telephony and PCI compliance If your business has both of these requirements then it makes both financial and business efficiency sense to unify your providers. This will give you one port of call for both functions. Business continuity If your office has to be temporarily relocated in an emergency, this can be achieved quickly and costeffectively with SIP trunking to keep your business working. Improved internal processes Clean room restrictions, such as the banning of mobile phones, the searching of employees and in some instances pens and paper, can be both dehumanising and stressful for employees. With our DTMF masking solution these restrictions can be lifted, leaving the employee free to focus on their customers. Additionally many contact centres have implemented omnichannel strategies that include social media as part of their customer relations. 8 / / 9

Who is SIP with Semafone aimed at? Our solution is a flexible and adaptable option and can save money and increase productivity for various businesses requiring PCI DSS compliance and agile telephony On the high-street and online, fraud prevention technologies and services are already well developed; encryption exists to segregate card data between Chip and PIN devices and Point of Sale machines, and payment pages can be hosted by your Payment Service Provider (PSP) - however, neither of these approaches can be deployed by the call centre for telephone payments, whose vulnerabilities fall into four distinct areas: The physical call centre environment Call and screen recordings VoIP and telephony network Agent desktops and data network SIP with Semafone is suitable for any size of business from small businesses to large enterprises and government organisations that currently have a PBX or unified communications solution. In particular, PCI DSS applies to all organisations that store, process or transmit cardholder information. 10 / / 11

VOICE DATA MOBILE CONVERGENC Tel 0333 014 0111 Email gbc.marketing@gamma.co.uk Web www.gamma.co.uk We re a certified Carbon Neutral* Company. This means you can demonstrate green credentials yourself. By working with us you have a solution that not only helps the environment but also enables you to become greener and conform to new Government environmental policies. GS-09/15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback