Best Practices for Descoping Contact Centers for PCI DSS Compliance

By Aaron Lumnah, Digital Marketing Manager

With cyberattacks occurring on what appears to be a daily basis, and the average cost of a data breach in 2016 resting at $4 million according to a report by the Ponemon Institute, it’s never been more important to ensure your organization is following security best practices to prevent a breach of its own. Even though the U.S. migration to EMV credit cards has helped to reduce the rate of fraud for physical transactions, Card Not Present (CNP) fraud has greatly increased in recent years. In fact, CNP fraud represents 45% of all credit card fraud in the U.S., according to a report by Aité Group.

To make matters worse, after conducting a survey of over 500 contact center agents worldwide, Semafone found that a startling 72% of organizations require customers to read their credit card numbers out loud when making a payment over the phone. This outdated practice puts customers at risk of having their personal information overheard by eavesdroppers, and puts the organization at risk of a data breach by exposing sensitive data to both contact center agents and call recordings. What’s more, the survey revealed that breach attempts are in fact happening by both insiders and outsiders, yet only 42% of contact center agents who witness one reports the incident to upper management.

These staggering figures beseech companies to do more to not only protect their customers, but also their brand reputations and, ultimately, their bottom line by preventing fraud.

While it may seem difficult to keep up with all the latest developments in cybersecurity, a great place to start ensuring your company is following best practices is to comply with governmental and industry compliance requirements. For organizations that take card payments, one of the most fundamental frameworks they must comply with is the Payment Card Industry Data Security Standard (PCI DSS).

What is the PCI DSS?

One of the most prevalent compliance standards in the payments industry, the PCI DSS is a globally accepted set of controls agreed upon and enforced by the Payment Card Industry Security Standards Council (PCI SSC), a consortium of the five major credit card companies, including Visa, MasterCard, Discover, American Express, and JCB. Originally put into practice in 2004 to mitigate the growing problem of credit card fraud and to streamline the security requirements among the major credit providers, the framework encompasses all aspects of payment collection, including telephone payments.

Having gone through several iterations throughout the history of the PCI DSS, the PCI SSC released version 3.2 in April of 2016. The current version is organized into six distinct categories, with twelve broad requirements, outlining a total of over 400 security controls that every merchant must implement to achieve compliance.

Any organization taking payments must comply with these guidelines. Failure to comply could result in fines from each of the payment providers and in extreme cases could even lead to them revoking the privilege of the merchant to accept credit payments.

Making sure your organization has met compliance standards can be a challenge, to say the least! For this reason, we’ve compiled some best practices to help you make your contact center PCI DSS compliant and reduce the risk of credit card fraud.

Download Now: PCI DSS Compliance Checklist

How Do I Make My Contact Center PCI DSS Compliant?

The task of complying with the twelve standards and over 400 controls outlined in the PCI DSS may seem daunting, but there are ways to reduce the amount of applicable PCI controls in your contact center. This process is known as “descoping” and can significantly cut down on the amount of contact center infrastructure considered “in scope” of the framework. Descoping can dramatically reduce the cost associated with compliance and will lead to a much simpler process overall.

Descoping Starts with Removing Payment Information

In order to understand how to effectively descope a call center, we must first understand what it means to be “in scope.” According to the PCI Security Standards Council’s Quick Reference Guide, “The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data.” That means that the PCI DSS considers any person, system, or piece of technology that touches payment information as “in-scope.”

Check out animation below for a comprehensive look at what it means to descope your contact center for PCI DSS compliance.

Some security and compliance professionals believe that employee training is the key to PCI DSS compliance, but, it is not enough to simply train your customer service representaives (CSRs) or agents on how to properly handle payment information. With such a broad definition outlined above, virtually everything inside the contact center that could potentially be exposed to payment information, including the computers, the telephones, the network infrastructure, the CRM software, the CSRs themselves (and any tools that could be used to record payment information like a notes app, their mobile phone, or a pen and paper), or even the security cameras on the wall must all be accounted for.

As Gary Glover, VP of Assessments at SecurityMetrics, puts it in his blog post on the matter, “Simply training employees in security awareness doesn’t fulfill specific responsibilities, including a key aspect in requirement 3.2, which states, ‘Do not store sensitive authentication data after authorization (even if encrypted).’” That means that in no circumstances should there be a record of sensitive authentication data anywhere within the network infrastructure—including call recordings.

To most effective way to reduce the amount of applicable PCI controls is to never allow payment information to enter the contact center. As Glover explains, “Merchants must ensure sensitive authentication data is not stored in any form after authorization. The part that may trip up a contact center is the thousands of hours of call recordings that include payment information verbalized by both customers and agents over the phone.”

This means that technologies such as Pause and Resume call recording systems are insufficient and leave large parts of the call center in scope – only removing the call recording from scope. These technologies still require the CSRs to take down credit card numbers, which means payment information may inadvertently still be included on call recordings if a CSR forgets to pause the call at the wrong moment. In some regulated industries, such as insurance, where firms are required to keep the whole call recording intact, using Pause and Resume call recording methods violates other areas of compliance, like the rules set out by the Financial Industry Regulatory Authority (FINRA) in the United States and the Financial Conduct Authority (FCA) in the United Kingdom.

Other methods of ensuring that payment information is not recorded is to implement a “clean room” environment where CSRs have no access to the internet, no pens or paper, no cell phones or recording devices, and no bags, coats, or personal items in their vicinity. In some instances, CSRs may even be searched or scanned before and after entering the building. While this method does ensure that the contact center meets all the requirements of PCI DSS, CSRs are left heavily scrutinized and closely monitored, leading to a poor work environment, low employee morale, and high staff turnover.

DTMF Masking –  the Most Effective Method to Descope for PCI DSS Compliance

A final method that an increasing number of organizations have turned to in order to descope their contact centers is DTMF masking technology, like Cardprotect by Semafone. Cardprotect allows customers to enter their credit card numbers using the keypad on their phones while staying on the line with the CSR. With DTMF masking, the agent never sees or hears the number as the dial tones are masked and all sound the same. The payment is then encrypted and passed securely to the payment service provider (PSP) and is never stored, effectively removing the contact center and all its components from the scope of PCI DSS.

Clearly the best way to go about maintaining PCI DSS compliance and lowering the risk of payment card fraud is to remove contact centers from the scope entirely. With the average cost of a data breach in 2016 resting at $4 million according to a report by the Ponemon Institute, more and more companies are turning to innovative technologies like DTMF masking to reduce the threat of a breach and reduce the headache of meeting the ever-mounting number of compliance requirements. In turn, CSRs can focus on serving customers and providing them a positive overall experience.

 

 

Best Practices for Descoping Contact Centers for PCI DSS Compliance
Semafone