VoIP is an important consideration for higher education institutions. In fact, your VoIP system could be bringing your entire network into PCI scope without you even realizing it. This is an even more pressing consideration as the PCI Council recently released new guidance regarding the protection of telephone-based payment card data.
Are you secure and compliant? Let’s find out.
The VoIP Shortcut
VoIP is an appealing payment option for colleges, universities, and on-campus merchants because it can host voice and data communications on the same network. With a uniform communication base that leverages existing network infrastructures, institutions can unify fax, voicemail, web conferences and more while cutting costs.
Since VoIP converts sound waves into digital “packets of data” and transmits them between IP addresses over the Internet, things get sticky when sensitive data (like payment information) is involved.
PCI Council Steps In
The PCI Council quickly took note of this data hazard in 2011 and reminded organizations that
“PCI DSS requirements apply wherever account data is stored, processed, or transmitted.” What does that mean for on-campus merchants operating on VoIP? If phone calls include the transmission of cardholder data—whether spoken or keyed in—that data is in scope for PCI DSS.
More recently, the PCI Council has issued new guidance supported by two data points: 1) nearly half (44%) of US consumers have been the victim of a breach where their data was compromised, and 2) almost three quarters (72%) of contact centers accept card payments over the phone.
The guidance is meant to encourage organizations to move away from antiquated systems like pause-and-resume in favor of the more modern Dual Tone Multi Frequency (DTMF) masking technology. This newer technology prevents payment data from even entering the environment, eliminating breaches at the contact center level.
Higher education institutions that utilize VoIP systems for payments should be aware of the key tenets:
Card-not-present (CNP) fraud can happen with just card number, expiry, cardholder name, and possibly CVV2—All of which are captured during telephone payment conversations with contact centers.
VoIP transmissions are in scope and require adequate protection like encryption.
PCI data to just one agent or one call center renders the entire institution in scope. However, institutions can use firewalls to segment off PCI-handing agents or departments and reduce scope. This requires careful, thorough, and proper segmentation.
On-campus call center agents or other handling sensitive PCI data via VoIP (as well as those managing them) must be trained and handled according to PCI DSS.
All equipment involved in PCI data must be secure as well, even for remote workers.
Institutions that collect CVV2 must irretrievably erase the data post-call and stop any manual records or copies from being made. Even where a need to retain call recordings exist, CVV2 must still be securely deleted upon the termination of the call. Tokenization is the preferred security option here.
DTMF is absolutely in-scope, however, DTMF masking/suppression can be used as a solution.
The guidance explicitly suggests call centers outsource to PCI DSS validated service providers as one way to minimize the amount of PCI data taken via telephony.
If DTMF bleed occurs (from slow-reacting DTMF detection), it could render a descoped environment in-scope.
No Need for Panic
This new guidance may send you into a VoIP tailspin—but it doesn’t have to. It’s very possible to secure VoIP at a college or university and reduce PCI scope.
In fact, that’s our specialty.
We can help you create a robust VoIP architecture supported by hardware solutions for your entire campus.
Let us help you keep your students’ (and families’) sensitive cardholder data safe while reducing PCI scope with our PCI-validated P2PE solutions.