PCI DSS Scope Reduction

Taking card payments over the telephone is a challenge for any business entity. Simply listening to the customer speaking their payment card details over the telephone brings the business entity into the full scope of payments compliance and the Payment Card Industry Data Security Standard (PCI DSS).

PCI DSS applies to all entities (other than the card schemes and telephony carriers*) that store, process and or transmit payment card data.

For some entities with flat networks and without robust network segmentation, listening to customer payment card details in the process of a telephone based transaction can often mean that the entity’s entire infrastructure is within the scope of all 12 PCI DSS Requirements.

Our approach of ‘taking risk off the table’ to ‘devalue the data’ helps reduce the time, effort and cost of achieving and maintaining PCI DSS compliance by preventing spoken payment card data from entering the entity’s environment.

Generically such technologies can be termed ‘Card Capture Solutions’ or ‘PCI DSS Scope Reduction Applications’ and typically rely on the customer using their telephone handset to input sensitive card holder data. The ‘tones’, often referred to as Duel Tone Multi Frequency (DTMF), can be integrated directly to the Payment Service Provider (PSP) allowing the contact centre agent to confirm a successful transaction without hearing or seeing the customers sensitive card holder data (CHD).

Deploying a ‘Card Capture Solution’ means that the entity no longer processes and or transmits payment card data within their environment and may mean (in the absence of any stored call recordings) that ONLY Requirement 12 would continue to apply, thus reducing the scope of PCI DSS compliance.

*Subject to the service the telephony carrier is providing

One simple compliance and customer experience objective, many different technology solutions.

There are a numerous technologies capable of full or partial PCI DSS scope reduction in use across business entities telephone environments today, and from many technology vendors, each wanting to put themselves above the next. In general, they fall into three categories:

  • Type 1. ATTENDED – where the agent remains in direct voice contact with the customer for the entire duration of the transaction. Often described generically as DTMF applications or DTMF solutions.
  • Type 2. UNATTENDED – where the agent does not remain in direct voice contact with the customer for the entire duration of the transaction. Can also be called DTMF applications or solutions and more often described as Interactive Voice Response (IVR) or automated voice payment solutions.
  • Type 3. PARTIAL – part scope reduction where only part of the telephone environment is taken out of scope – which means applying ALL Requirements and controls to the reduced the card data environment (CDE). Automated Pause Resume or Automated Stop Start is a good example of a technology that partially reduces scope by taking the call recorder and call recording storage out of scope.

The key point is that technology selection should be part of an overall plan to fully align current and future compliance obligations with existing plans, commitments and customer experience preferences.

Card Capture: Key Features

  • Can be provided as a stand-alone service, following a Locate solution, part of a Prepare and Provision solution or as part of an ongoing Managed Service
  • As a stand-alone service includes full business requirements documentation outlining key risks and dependencies
  • Also can include business case development, vendor selection and contracting support
  • Can also provide full programme management and ongoing vendor management as part of an overall compliance service
  • Typically used alongside our Data Discovery services and potentially our Stored Call Recordings service should there be an ongoing requirement for PCI DSS compliant access to historical call recordings post implementation of the PCI DSS Scope Reduction service