We have requested our call center agents stop recording. A call comes in and a constituent gives their full PAN over the phone and the agent enters it directly into the P2PE device. The phone is VoIP. What else needs to be done to secure the transmission via VoIP, if we are no longer recording?
@IndianajonesInteresting question, I would personally investigate the current security health of your VOIP system: How often is it audited and checked for security controls? Is managed by a third party? Is it a hosted solution managed by your organisation or by a third party on your behalf?
For expediency, there is some good advice from one of the vendors websites:
You can use the Secure Real-Time Transfer Protocol (SRTP), if it is enabled, but this only protects the communications itself, you need to also encrypt the storage system as well, and limit who has access to it.
Voice over IP systems are typically implemented in enterprises because they can help reduce cost and complexity by eliiminating separate technologies and physical infrastructure for voice and data communications.
Unfortunately, when voice packets containing Cardholder Data (whether spoken or audio-encoded, such as via DTMF tones), the VoIP system, the underlying IP network, and all of the systems etc. that are connected to it can become in-scope for PCI DSS, bringing potentially greater cost and complexity than it saves.
As a long time PCI QSA (P2PE) and PA-QSA (P2PE), I have assessed and validated many merchant environments, as well as solutions, software and systems designed for merchant environments, in which VoIP has played a role. While things have improved over the last few years as VoIP and networking vendors deliver more secure and performant methods of protecting CHD-carrying voice data traffic over shared infrastructure, it is important that entities begin by realizing that the VoIP system is in-scope, and then proceeding to not only ensure that all voice data travelling over internal (and potentially external) networks is encrypted (or carried over some other form of encrypting and isolating tunnel, such as IPSEC or VPN), but also that the endpoint systems, including call center supervisors' systems, and call management systems are included in PCI DSS scope -- and compliant.
Unfortunately, that also means that the use of a VoIP phone system, if it uses PC-based clients, will bring those clients into PCI scope -- when most likely, you've implemented a P2PE solution to take them out of scope.
The best source of guidance on this is the Protecting Telephone-based Payment Card Data Information supplement published by the PCI SSC. I was a member of the SIG that revised it late last year; feel free to reach out to me if you have questions.
Note -- I've had clients do quite a variety of ways of addressing the scope problems VoIP introduces; what might work best varies widely dependng on the role that accepting phone payments plays in your organization. Sometimes, for example, it's possible to isolate the acceptance of payments to a small, centrally located team, and equip them with a bank of traditional POTS phones, at least a short term fix.
Jim Scardelis, CISA, CISSP, PA-QSA(P2PE), PCI 3DS Assessor, PCI SSA, PCI SSLCA, PCIP, CIPP/US, CIPP/C, CIPP/E, CIPT, MCSE Any views or opinions contained in this communication are solely those of the author.