As you may be aware, some communications infrastructure and services such as Plain Old Telephone Service (POTS) connections, may no longer be available to consumers. The reason: carriers aren’t obligated to maintain them. This is in accordance with the Federal Communications Commission (FCC) order 19-72A1 which was released on August 2, 2019, and recently came into effect in August this year (2022).
The challenge is understanding the full impact and being able to mitigate any associated risks or system failures that may result. Many older emergency systems including intercoms, private security systems, and fire alarms still rely on POTS. What many businesses may not be aware of is that there could also be an impact on payments data security. Specifically relating to Payment Card Industry Data Security Standard (PCI DSS) compliance.
Impacts on PCI DSS Compliance
The PCI Security Standards Council uses PCI DSS as the primary data security standard. It is used by most payment card brands including Mastercard, Discover, Visa, and American Express to protect payment card data.
While it’s a standard rather than a regulation, major credit card companies have required businesses holding, processing, transmitting, or securing payment card data to adhere to the PCI DSS. Historically, non-compliance has been met with fines or increased transaction costs. In addition, card brands have the authority to bar non-compliant merchants from taking payments using their cards. Extended non-compliance can even lead to an organization gradually being forced out of business.
The link between the POTS switch-off and PCI DSS compliance relates to what was an exception to the requirement for compliance. While technically all networking components including routers, switches, etc. would fall under PCI DSS compliance requirements (because of their ability to transmit card payment data) the PCI didn’t require organizations to include POTS systems in their scope of networking components. This was because the risk of a successful attack against these systems was considered minimal. That level of risk has changed with networks migrating to VOIP solutions or systems using a POI device.
Now with the new FCC Order 19-72A1, organizations that have upgraded and migrated their systems must consider possible regulatory consequences with PCI DSS. Any data traversing the network, including voice and payment card data, must be adequately protected. This is a significant change from the past when POTS systems were not required to be in scope for PCI DSS compliance.
How to retain PCI DSS compliance
If an organization’s phone provider has already made the upgrades in line with PCI DSS standards, there’s little cause for concern. But for IP-based connections on an organization-controlled network, ensuring compliance will be the organization’s responsibility.
For POI devices connected over POTS, it’s recommended to complete the Self-Assessment Questionnaire B (SAQ B). The SAQ B-IP adds further requirements related to network and networking equipment security.
Understanding the PCI requirements can help you know what options are available to ensure you stay compliant. Logically’s Telecom team can help you determine what type of service will work best for your business and help find a compliant solution. In addition, our team can assist with any questions related to PCI DSS compliance or network security.
If you need assistance with understanding how this transition may affect your business or with determining what steps you will need to take to remain compliant with PCI DSS, please contact us here. Logically’s Telecom team will help with the best option for your business.