Contact Centre Solutions
PCI DSS Compliance Guide for Contact and Call Centres
Contact centres routinely handle payment data such as credit or debit cards, CVVs and PIN numbers. This kind of sensitive data is a prime target for cybercriminals worldwide, which makes it imperative for contact centres to implement robust security measures that protect access to this data.
Enhanced contact centre security will also reduce a company’s fraud exposure (internal & external risks).
PCI DSS compliance is the globally mandated security standard for securing credit card numbers. When organisations achieve PCI DSS compliance, they reduce the risk of data loss by a data breach and also when done correctly can improve operational efficiencies that enhance the customer experience.
PCI DSS standards are governed by Payment Card Industry Security Standards Council (https://www.pcisecuritystandards.org/), which is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. The recent update to the PCI DSS standard released on May 2018 mandates twelve security requirements. The requirements are as follows.
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
- Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
- Requirement 6: Develop and maintain secure systems and applications
- Requirement 7: Restrict access to cardholder data by business need to know
- Requirement 8: Identify and authenticate access to system components
- Requirement 9: Restrict physical access to cardholder data
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes.
- Requirement 12: Maintain a policy that addresses information security for all personnel.
All twelve requirements are needed and work in tandem to enhance security end to end. However, the requirements 3, 4, 7, 9 and 10 (highlighted) impact contact and call centres specifically.
PCI DSS requirements as applicable to Contact Centre Solutions
Contact centres provide specific challenges when it comes to achieving PCI DSS compliance for the following reasons.
- Payment data is transmitted by multiple channels such as telecommunication networks (landline, VOIP), cellular networks and internet.
- Payment data comes in various formats such as text, images, and audio.
- Many contact centre specific systems such as IVRs, call recorders, DTMF and SIP need to co-exist and collaborate.
- Human contact is involved at various points in the collection of sensitive credit card data.
As mentioned earlier PCI DSS requirements 3, 4, 7, 9 and 10 impact contact centres specifically and can be broadly classified as “protecting data in rest and motion” and “restricting human access to the data”.
Protecting Data in Rest and Data in Motion
Requirements 3 (protect stored data) and 4 (encrypt the transmission of data) deal with safeguarding data throughout its transmission and endpoint. Organisations need to ensure that their payment systems keep the data secure even if cybercriminals attempt to hack into the system. It also deals with making sure data transmitted over public networks cannot be intercepted. The requirements are outlined below.
Requirement 3: Protect stored cardholder data
Protection methods such as tokenisation, encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other useful methods of protecting stored data should also be considered as potential risk mitigation opportunities. For example, methods for minimising risk include not storing cardholder data unless necessary, tokenisation, truncating cardholder data if full PAN is not needed, and not sending unprotected PANs using end-user messaging technologies, such as e-mail and instant messaging.
As such companies should:
- Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes.
- Do not store sensitive authentication data after authorisation (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorisation process.
- Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse.
- Thoroughly document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data.
- Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties.
- Replace sensitive on-premise credit card numbers with none financially sensitive tokens.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments.
- Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks
- Never send unprotected PANs by end-user messaging technologies(for example, e-mail, instant messaging, SMS, chat).
- Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties.
In a nutshell, do not store or access the payment data if it isn’t necessary. If you have to, make sure it is stored securely, and all data transmission is end-to-end encrypted.
This may sound straightforward, but it’s important to remember that end-to-end transmission includes voice calls over telephone lines, data entered on websites as well as mobile apps on cellular communication. This also includes voice communication between customers and call centre agents which is often recorded.
There are many encryption methods for data transmitted on the Internet. However, protecting telephone-based data is more complicated than Internet data and requires particular focus. PCI DSS provides a supplement to deal with this which you can view here >> PCI DSS Supplement.
Restrict Human Access to Data
A significant portion of cybercrime is attributed to human error. In fact, in the most recent Notifiable Data Breaches Quarterly Statistics Report for 1 April 2018 – 30 June 2018 released by the Office of the Australian Information Commissioner identified that 36% of total data breaches were due to human error.
These errors are either:
- Malicious – deliberately stealing credit card data.
- Socially engineered – unwittingly being a victim of a phishing attack or similar
- Behavioural – accidentally disclosing sensitive data either verbal or by email.
Contact centre agents through their interaction with customers are more likely to be exposed to sensitive payment data which increases the risk of a potentially reportable data breach.
PCI DSS requirements 7 (restrict access to data) and 9 (restrict physical access to data) are there to ensure that this risk is minimised.
To meet requirement 7, contact payment systems need to have role-based access control systems and the ability to implement rules and security policies. Details of requirement 7 are below.
Requirement 7: Restrict access to cardholder data by business need to know
To ensure critical data can only be accessed by authorised personnel, systems and processes must be in place to limit access based on a need to know basis and according to job responsibilities. “Need to know” is when access rights are granted to only the least amount of data and privileges needed to perform a job.
- Limit access to system components and cardholder data to only those individuals whose job requires such access.
- Establish an access control system(s) for systems components that restrict access based on a user’s need to know, and is set to “deny all” unless specifically allowed.
- Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties.
Requirement 9 deals a lot with traditional location security and physical security. However, to control physical access to the data contact centre solutions need to mask/hide any payment data that can be accessed by humans. This includes displays, audio calls, call recordings. All access to data needs to be logged and monitored as well (requirement 10).
Requirement 9: Restrict physical access to cardholder data
Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hard copies, and should be appropriately restricted.
- Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.
- Develop procedures to distinguish between onsite personnel and visitors easily.
- Control physical access for onsite personnel to sensitive areas.
- Implement procedures to identify and authorise visitors.
- Physically secure all media.
- Maintain strict control over the internal or external distribution of any media.
- Maintain strict control over the storage and accessibility of media.
- Destroy media when it is no longer needed for business or legal reasons.
- Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.
- Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties.
Finally, to support monitoring and audit needs, contact centre solutions need to provide detailed inbuilt access logs. Requirement 10 is elaborated below.
Requirement 10: Track and monitor all access to network resources and cardholder data
Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimising the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong.
Stringent processes mentioned in Requirement 10 (audit), 11 (test systems) and 12 (maintain a security policy) often supplement this solution; however, they are ineffective if the payment system does not provide the infrastructure needed to implement the measures.
Where to from here?
Achieving PCI DSS compliance within a contact centre may appear challenging and potentially costly based on the requirements outlined in this post.
However, the consequences and potential impact to a business of a data breach mean that PCI DSS compliance is a must have, not a nice to have. Globally, Governments are now legislating and making it mandatory for businesses to put secure systems in place to protect customer data. Such legislation includes:
Australia: Notifiable Data Breach Scheme (became law on 22nd February 2018)
Europe: General Data Protection Regulations (became law on 25th May 2018)
China: Cybersecurity Legislation (became law in June 2017)
United States: NIST Cybersecurity Framework (became Government policy in 2018)
Thankfully the pathway to PCI DSS compliance in contact centres is more straightforward when you work with IPSI to implement there PCI DSS Level 1 compliant payment solutions. These include:
AgentSecure: AgentSecure is a cloud-based PCI DSS compliant solution that removes contact centre agents from PCI scope by ensuring agents do not see or hear customer credit card payment data when payment is collected via a call centre. (Requirement 7, 9)
Find out more: AgentSecure
Enterprise Payment Solutions: IPSI provides payments solutions to the enterprise market that allow flexibility, scalability and help enterprises achieve PCI DSS compliance.
Find out more: Enterprise Payment Solutions
PCI DSS Remediation: IPSI helps enterprises that need to achieve PCI DSS compliance by implementing data security measures within their payments environment. This can include PCI DSS tokenisation projects. (Requirements 3 and 4)
Find out more: PCI DSS Remediation
IPSI is in the business of helping businesses achieve security compliance and ensuring they protect sensitive customer data. If you wish to speak to a member of our team about AgentSecure or PCI DSS remediation, contact us on 1300 975 630 or email us at firstname.lastname@example.org.