The Federal Communications Commission (FCC) released order 19-72A1 on August 2, 2019. This order mandated that all US Plain Old Telephone Service (POTS) connections needed to be replaced with alternative services by August 2, 2022. POTS phone systems are what most of us think of as standard landlines, and many organizations are moving to Voice over IP (VoIP) solutions. This deadline is fast approaching, and many organizations are worried about how it may affect some legacy emergency systems such as fire alarms. These types of systems were designed to run on analog phone lines and may not be capable of a direct transition to an entirely digital phone system. However, something many organizations may not be considering is how this FCC order may affect their Payment Card Industry Data Security Standard (PCI DSS) compliance.

What is PCI DSS?

PCI DSS is the foundational standard created by the PCI Security Standards Council (PCI SSC) and is leveraged by the payment card brands (Visa, Mastercard, Discover, American Express, JCB and UnionPay) to secure payment card data. The payment card brands require organizations which store, process, transmit or secure payment card data to adhere to the PCI DSS. Failure to adhere to the PCI DSS can result in punishments such as fines or increased transaction rates. The payment card brands also hold the right to prevent non-compliant organizations from accepting payments using their respective cards. PCI DSS is not a law, but maintaining compliance can be just as important since the ramifications of extended non-compliance could force an organization to go out of business.

PCI DSS and Telephone-Based Payment Card Data

Within an organization, PCI DSS applies to systems, processes, and people that store, process, transmit, or secure payment card data. This includes any networking components such as switches, routers, and firewalls are used to transmit payment card data. However, there has historically been an exception for POTS phone systems. Due to the minimal risk of a successful attack against a POTS system, organizations have generally not been required to include any POTS systems in their PCI scope, even if they use the system to transmit payment card data. For instance, organizations using point-of interaction (POI) devices that connect directly into a POTS phone line would only need to consider the security of the POI device, not the POTS system. Similarly, organizations that take phone payments over a POTS system would also not need to include their POTS system in their compliance efforts. However, if the FCC mandate forces such an organization to move to a VoIP solution, they will need to consider the compliance implications. Any time you transmit credit card information on a network, that network becomes part of your PCI scope regardless of if the transmission is data or voice. If you connect a POI device into a network, that network needs to be taken into consideration for PCI compliance, and the same goes for a VoIP system used to accept phone payments. Learn more about how the PCI Security Standards Council protects telephone-based payment card data: https://www.pcisecuritystandards.org/documents/Protecting_Telephone_Based_Payment_Card_Data_v3-0_nov_2018.pdf?agreement=true&time=1652890151404

How will the FCC order impact my organization’s PCI compliance?

If your phone provider is responsible for making any changes required by the FCC order and no changes are required to be completed directly by your organization, then you may not need to do anything differently regarding the PCI compliance of your phone system. However, if your phones or POI devices are moving to IP-based connections on a network within your control, then you will need to consider the PCI implications. If you have had POI devices connected via POTS, you may have been able to complete the Self-Assessment Questionnaire B (SAQ B). The SAQ B includes a subset of the requirements from the PCI DSS and does not include any network-related requirements. If the FCC order forces you to move to POI devices that connect to your network, you will likely need to complete the SAQ B-IP. The SAQ B-IP includes additional requirements including requirements pertaining to the security of the network and networking equipment.

Next Steps

The links below provide frequently asked questions from the PCI Security Standards Council to help you determine your PCI compliance obligations. Even if you do not think you will need to implement any changes, you should confirm this with your bank or acquirer as they are ultimately responsible for the compliance of any merchants that use them for payment processing. If you are unsure, you can always reach out to LBMC Cybersecurity and we can help you determine if this mandate will affect you or not. It can be difficult to determine exactly what an organization’s scope is, and banks/acquirers are generally not able to provide detailed insight into your environment. Scoping is something we specialize in, and we have assisted many organizations in accurately determining and documenting their scope. Contact us today to learn how we can help.

Content provided by LBMC Cybersecurity professional, Kyle Hinterberg.