Back in March the Council released an information supplement on the PCI SSC website entitled Protecting Telephone-Based Payment Card Data.

Téléphone, by zigazou76

Wait… MARCH you say? Brando, seriously, work on the timeliness of information.

Yeah, yeah… I hear ya. I tend to post about things that I see in my daily experiences, and frankly, I thought we had the telephone-based payment problems solved based on the Council’s official FAQ 5362 on the topic. While the answer seems pretty complete to me, the PDF above also includes several other elements that may be useful to companies dealing with telephone-based payment issues. On Page 6 you will find a flowchart designed to help companies break down complex environments into a series of Yes/No questions. By following the process, you will have a pretty clear idea of what you need to do to comply with PCI DSS.

You may not LIKE the answer you get, but at least you will have enough information to figure out how you will either secure the data, or change your business process to pull it out of scope of PCI DSS.

The next several pages contain tips helpful to people managing internal call centers, or handling third-party providers of these services. The real bonus here is that the flowchart holds up if you replace cardholder data with Electronic Health Records (EHR) and PCI DSS with HIPAA. You don’t have to stop there, you can keep replacing other data types with their associated regulations and you can at least get some idea on how you might have to secure it.

I think we can now finally put this issue to bed, and I encourage you all to read this information.

This post originally appeared on