Maintaining PCI compliance can be complex – especially when you consider the adaptations your business has made during the pandemic. As you implement hybrid work environments, these three tips can help you continue to stay compliant.
Every business has had to make its own adjustments and adaptations during the pandemic, deploying new systems, processes, and technologies to address a multitude of challenges. One of the biggest shifts for many companies, especially as it relates to payment card Industry (PCI) compliance, was the move to a remote work or work-from-home (WFH) environment. Because the reliance on remote technology can change or expand the scope of the cardholder data environment, the scope of PCI compliance can change as well – and with hybrid in-office and remote work business models becoming more prevalent, we can expect many of these scope changes to become permanent.
These tips can help companies take pandemic lessons learned and use them to help obtain or maintain PCI compliance moving forward:
1. Limit the scope of telephony to make the compliance process more manageable.
The PCI Security Standards Council’s “Information Supplement: Protecting Telephone-Based Payment Card Data”1 points out that systems that are used to accept cardholder data (CHD), as well as any connected systems, are considered in scope for PCI assessments. This means any additional or new networks, systems, or devices (including those for work-from-home employees) are considered in scope, including:
- WFH laptops that support softphones
- Voice over internet protocol (VoIP) servers
- Call recording systems
- VoIP architecture, including session border control (SBC) and private branch exchange devices
- Session initiation protocol and SBC
- Network devices for segments these systems reside in
Here are a few common strategies for telephony scope reduction:
- Outsource telephony-based payment card functions to a third-party service provider, or halt the direct acceptance of payment cards via telephone.
- Physically segment the VoIP environment to keep all hardware in one segment, and limit the telephony scope to that segment.
- Suppress or mask dual-tone multifrequency (DTMF), familiarly known as touch tone, which uses the telephone voice frequency band and transmits a different tone for each associated digit.
- On-premises, host and manage hardware and the associated services, processes, and CHD traffic from the VoIP environment in-house.
- Off-premises, host hardware and the associated services, processes, and CHD traffic from the VoIP environment at a third-party location.
- Use “plain old telephone service” (traditional phone traffic) or out-of-band communication.