As the central hub for customer engagement, enterprise call and contact centers naturally collect, process and store a wide variety of personally identifiable information (PII) including payment card data, addresses, birth dates, bank account details, social security numbers, medical information and much more. As a result, most contact centers fall under the scope of compliance for the Payment Card Industry’s Data Security Standard (PCI DSS). PCI DSS is an industry standard designed to help protect consumers’ payment card information. It is a set of requirements that organizations must follow in order to accept, process and transmit cardholder data as securely and safely as possible, in an effort to prevent fraud and reduce data breaches.
With its numerous sub-requirements and potentially hundreds of controls, the PCI DSS is one of the most complex industry-wide standards. And, like most data security standards and regulations, the PCI DSS is constantly evolving to address the latest threats. As such, it can be costly and complicated for call and contact centers to stay on top of the newest updates and best practices for compliance. To help ease the burden, Semafone has created an easy-to-use, PCI DSS Compliance Checklist to help contact centers get started on the path to compliance. This guide is an at-a glance resource and an initial overview, it should not be considered a comprehensive program for PCI DSS compliance. To find a qualified security assessor (QSA) to help your organization establish a thorough PCI DSS compliance program, visit https://www.pcisecuritystandards.org/assessors_and_solutions/.
Who Needs to Be PCI DSS Compliant
In short, any merchant that accepts payments must be compliant with the PCI DSS, regardless of merchant level. This includes companies that accept payments and perform card-not-present (CNP) transactions over the phone, through digital channels such as online forms and web chats, or even through the mail.
Failure to comply with PCI DSS can be very costly to an organization. If a data breach occurs and the merchant is found noncompliant, the payment card brands can impose financial penalties on the merchant’s acquiring bank. The bank then typically passes those costs along to the merchant, which can range from $5,000 to $500,000 per month. For repeat offenses, the payment card brands can even revoke the rights of the merchant to process transactions using their cards.
PCI DSS Requirements at a Glance
PCI DSS Requirement:
|Build and Maintain a Secure Network||1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
|Protect Cardholder Data||3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
|Maintain a Vulnerability Management Program||5. Use and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
|Implement Strong Access Control Measures||7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
|Regularly Monitor and Test Networks||10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
|Maintain an Information Security Policy||12. Maintain a policy that addresses information security for all personnel – and ensure that all personnel are aware of it.|
As you work your way through the requirements checklist, here are some key considerations to help you understand and address each requirement.
Requirement 1: Install and maintain a firewall and router configuration to protect cardholder data.
Firewalls control the computer traffic allowed into and out of an organization’s network, and into the most sensitive areas within its internal network. Some firewall functionality may also be incorporated within other system components. For example, routers used to connect networks are also in scope for assessment of Requirement 1 if they are used within the cardholder data environment.
Organizations should establish firewall and router configuration standards that identify all connections to cardholder data and review these configurations at least every six months. The configurations should restrict all traffic from untrusted networks and hosts and prohibit public access between the Internet and any system component in the cardholder data environment. Personal firewalls should also be established on any employee-owned computers or mobile devices that are able to connect to the Internet and are used to access the organization’s network.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Changing the default passwords and security settings when deploying new network devices should be a common-sense practice, but too often people fail to take even this basic step. The default passwords and security parameters that come with new network devices are widely known, and failure to set a strong, unique password makes it easy for hackers to access the internal network. Call centers should not only change the default passwords before installing a system on the network, they should also set configurations to make sure passwords are changed every time a new vulnerability is identified. This should include default passwords and security settings for wireless devices that are connected to the cardholder data environment or are used to transmit cardholder data.
Requirement 3: Protect stored cardholder data.
Contact centers should not store payment card data unless it is absolutely necessary. In fact, the PCI DSS states that the sensitive data on the magnetic stripe or chip must never be stored by an organization.
One way that contact centers can reduce the amount of cardholder data on-hand – and thereby reduce the scope of compliance – is to deploy dual-tone multi-frequency (DTMF) masking technologies. Such solutions enable customers to enter their payment card information directly into their telephone keypad rather than reading it aloud to the customer service representative (CSR) or agent. The DTMF masking technology shields the keypad tones to prevent them from being captured on call recording systems or heard by the CSRs, who could potentially write the numbers down and use them for fraud. The sensitive payment card data is segregated and securely routed directly to the payment processor, bypassing the contact center’s IT systems entirely. By using these technologies and routing the payment card data to the payment processor, the contact center is no longer processing or storing the sensitive data and its IT systems are no longer under the scope of compliance for PCI DSS.
Sometimes contact centers are not able to keep all payment card information out of their IT systems. For those contact centers that must store this information, Requirement 3.4 of the PCI DSS stipulates that the primary account numbers (PAN) shown on the front of a customer’s payment card must always be rendered unreadable. Contact centers should always mask the PAN if it must be displayed for CSRs or agents, allowing only the last four digits to be displayed. Lastly, limit the storage and retention of cardholder data to only the minimum amount of time necessary for business, legal or regulatory purposes. Purge unnecessary stored data at least quarterly.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Cardholder data transmitted over open, public networks can be intercepted by cybercriminals, so it is critical to always use encryption technologies to render the data unreadable by any unauthorized person. Call centers should use strong cryptography and security protocols such as SSL/TLS, SSH or IPSec to safeguard cardholder data during transmission over the Internet or via wireless technologies.
Requirement 5: Use and regularly update anti-virus software or programs.
While the use of anti-virus software may seem like a no-brainer in this day and age, many organizations and individuals still slip into complacency when it comes to ensuring that they are up-to-date against the latest threats. Organizations must stay vigilant in ensuring that all anti-virus systems are current, actively running and generating audit logs.
Requirement 6: Develop and maintain secure systems and applications.
Hackers exploit known security vulnerabilities in systems and applications to gain access to an organization’s network. Contact centers should make sure their IT and computer systems have the most recently released software patches installed to help protect their systems from known vulnerabilities. They should also establish processes for identifying and assigning a risk ranking to all newly discovered security vulnerabilities, prioritizing which ones should be addressed first. Perform code vulnerability reviews regularly to ensure that your public-facing web applications are protected against known attack methods and install a web application firewall in front of public-facing web applications such as customer service chat windows, or any online applications where customers my input payment card data or other PII.
Requirement 7: Restrict access to cardholder data by business need-to-know.
To help prevent fraud, contact centers should ensure that sensitive PII and payment card data can only be accessed by authorized personnel and on a need-to-know basis according to their job responsibilities. This is also often referred to as the least-privilege user access (LUA) principle, which states that employees should have the minimum level of access necessary to do their job. For example, if a customer is not on the phone with a CSR making a payment at that time, the CSR should not be able to access the customer’s payment card information on file. Contact centers should also follow the process of “authenticating the user to authenticate the agent,” whereby the CSR asks the caller to identify themselves by providing some type of authenticating data before the CSR is able to access the caller’s sensitive account information.
Requirement 8: Assign a unique ID to each person with computer access.
Another security best practice that PCI DSS requires is to assign a unique identifier to each person in the organization with computer access. This way, if any sensitive data or system is accessed, it can be traced back to a specific authorized user. If it is accessed inappropriately, the organization can take necessary action. This includes assigning unique IDs for each CSR or agent, and even temporary or seasonal employees. Additionally, contact centers should implement two-factor authentication for remote access to the networks, such as for CSRs who work remotely, answering calls from home.
Requirement 9: Restrict physical access to cardholder data.
Any time a person has physical access to data or systems that house cardholder information, there is an opportunity for individuals to access and/or remove devices, data, systems or hardcopies. Therefore, physical access to all devices and systems should be properly restricted. For example, if data is held in a contact center’s IT environment, anyone with access to the facility can get their hands on PII. With unrestricted access to a contact center’s office, a member of the cleaning crew could slip an inconspicuous USB stick containing keylogging software and a Wi-Fi transmitter into several computers. That software could capture detailed information on customer transactions, including payment card numbers – all accessible to the cleaner, who then collects the unnoticed USBs the following week. In addition to restricting physical access to the information, one of the best methods for preventing unauthorized access is to, as much as possible, refrain from keeping sensitive data in the contact center in the first place – such as through the use of DTMF masking technologies as described above.
Requirement 10: Track and monitor all access to network resources and cardholder data.
Logging mechanisms and the ability to track user activities are critical for effective forensics and vulnerability management. Determining the cause of a compromise or data breach is very difficult without system activity logs. Moreover, the use of logs in all environments provides an audit trail and allows for thorough tracking and analysis if something goes wrong. All logs for systems related to security functions should be reviewed at least daily, and call centers should retain an audit trail history for at least one year. PCI DSS dictates that at least three months of history must be immediately available for analysis.
Requirement 11: Regularly test security systems and processes.
New vulnerabilities are constantly discovered. This is especially true of IoT-enabled devices that are increasingly making their way into businesses, such as personal voice assistants like Alexa, Google Home and Siri. Systems, devices, applications, processes and software must be tested frequently to ensure security is maintained over time. Contact centers should run internal and external network vulnerability scans at least quarterly and after any significant change in the network. They should also perform external and internal penetration testing and use network intrusion detection or network intrusion prevention systems to monitor all traffic at the perimeter and at critical points inside of the cardholder data environment.
Requirement 12: Maintain a policy that addresses information security for all personnel.
Call centers must establish, maintain and disseminate a security policy that addresses all PCI DSS requirements, comprises an annual process for identifying vulnerabilities and formally assessing risks, and includes a review at least once a year when the environment changes. They should also have usage policies that cover remote access, removable electronic media, handheld devices, email and Internet access, etc.
Equally important, call centers must make sure that all employees are aware of these policies and procedures. Even the best data security compliance controls will not be effective if employees do not understand the importance of these policies and why they should follow them. Contact centers must train their personnel on data security and privacy best practices and provide refreshers regularly. While most contact center employees and CSRs are good people, even good people can make mistakes that unwittingly cause a data breach or can be tempted to make a bad decision if they are under financial stress. As part of their policies, contact centers should also have in place an incident response plan so they are prepared to respond immediately in the event of a breach.
Compliance is More Than a Checklist
It is important to remember that strong data security and compliance always involves more than simply checking a box and calling it “done.” Protecting the organization’s valuable corporate data and its customers’ sensitive information is an ongoing process. After passing a scan for initial PCI DSS compliance, an organization must, in subsequent years, pass four consecutive quarterly scans as a requirement for compliance. The good news is that PCI DSS compliance is worth the effort. Not only does it benefit consumers by helping keep their sensitive information safe, it also benefits the organization in many concrete ways, including avoiding costly fines and helping protect against potentially reputation-damaging data breaches.
For more information on PCI DSS compliance, visit the PCI Security Standards Council website at: https://www.pcisecuritystandards.org/