Since 2005, nearly 8,500 data breaches have been made public, and countless thousands have or will never be disclosed, with more than 10 billion individual records compromised. Given the alarming growth in data breaches over recent years, it is perplexing why contact centers, which handle copious amounts of sensitive data, often “put off” addressing information security. In fact, we as security professionals, see many contact centers delaying compliance with the Payment Card Industry Data Security Standard (PCI DSS), which provides guidelines and requirements for protecting card data and transactions. For a closer look at why contact centers are putting PCI DSS compliance on the backburner and for insight into how they can simplify compliance, we brought in Jon Pitts, Managing Director of Consulting at Foregenix Inc., to share his expertise in the next rendition of our “QSA Q&A” blog series. Foregenix is a global, independent QSA specializing in all things PCI, including PCI DSS and PCI Forensic Investigations.
In his current role, Jon works with companies to build effective payment security solutions. Previously, Jon spent eight years as a PCI Qualified Security Assessor (QSA) consultant, manager and executive. He’s assessed contact centers across the globe and is always looking for ways to improve security and minimize the impact of compliance for clients.
Semafone: Hello, Jon! Thank you for taking the time to chat with us. To kick things off, can you please share some of the key PCI DSS compliance challenges you see in today’s contact centers?
Jon: Absolutely. What comes top of mind – with the ongoing changes to the PCI DSS landscape, is that it has become increasingly difficult for contact centers to maintain a thorough and current understanding of PCI DSS, while at the same time, keeping up with internal changes to infrastructure and personnel. Combined with new cybersecurity threats occurring daily, it’s become harder for the information security teams to stay ahead of the curve and prevent the next cyber-breach.
S: Semafone commonly sees companies delaying or putting off their PCI DSS compliance efforts. As a QSA, what are the most common reasons or even excuses that you see organizations give for delaying these initiatives?
J: I think the most common reasons can be broken down into three main factors.
- Conflicting priorities. PCI-related projects often compete for funding against projects that support revenue and growth, as well as projects focused on operational support. For example, increased capacity, reliability, call quality and other projects that directly support the contact center business model,
- Limited PCI Expertise. It has become less common to find contact centers with a thorough understanding of the applicable tiers of reporting and validation requirements for PCI DSS. And, without a proper grasp on the requirements, it is easier to justify “putting off” their compliance initiatives.
- Call center technologies. Security is challenging enough; but contact centers leverage many technologies that evolved from voice communications. These evolved technologies, such as VoIP and the multitudes of call management solutions, are often designed without security prioritized. In fact, it can be challenging to find best practices and secure configuration guidance for companies who want to be compliant with PCI DSS.
S: In your opinion, what are the top consequences of delaying PCI DSS compliance?
J: Loss of revenue stands out. Potential clients often communicate their requirements (including PCI DSS compliance) in a “Request for Proposal” (RFP). Typically, if you are not already PCI compliant when you first receive the RFP, you will not have time to become compliant and be validated by a QSA, in time to submit your RFP response. It can often take many months to become compliant. In the case of Level 1 PCI DSS Validations, it could take upwards of a year to earn a compliant “Attestation of Complianc.e” Generally, by the time you see the RFP, it’s already too late if you’re not PCI DSS compliant.
Another significant consequence is breach-related costs and financial penalties. If there is a breach involving credit cards, and the contact center is identified as the Common Point of Purchase (CPP), a PCI Forensic Investigation (PFI) may be required. Foregenix is one of a few global PFI QSA Companies, and we have dealt with a lot of these cases.
If an organization has experienced a breach, depending on the impact of the breach, there may be a standard digital forensics investigation or even a PFI. In addition to the security aspects of a normal investigation, such as identifying how the breach happened, eradicating bad actors and restoring normal operations, PFIs have additional requirements.
S: What else does a PFI entail?
J: PFIs contact directly between the client and PFI QSA, but they include oversight by banks and/or card brands, and operate within extremely aggressive timeframes. PFIs are fact finders to determine what card data was exposed, and how long the card data was exposed. While the main focus of a PFI investigation is the analysis of the payment ecosystem(s), PFIs are also tasked with determining what security deficiencies were in place at the time of the incident. They also include a PCI DSS assessment to determine if noncompliance with PCI DSS contributed to the breach. In every case I can recall, there were issues of noncompliance. Depending on the context and details, the card brands could issue an assessment that will be passed along to the contact center. These assessment fees can have a significant impact on the business’ bottom line – particularly when added to the costs related to the investigation and required security measures that need to be put in place to comply with investigation findings.
S: What is your best advice for those struggling to comply with PCI DSS or those who are procrastinating?
J: If you haven’t already done so, call a QSA for a Gap Assessment! They will help you understand your obligations and prioritize your security and PCI efforts.
Once you understand PCI DSS, you can start looking for ways to minimize your exposure, both from a security and compliance perspective. The first place we always start is card data – don’t keep it unless you need to. There are a lot of simple ways to reduce your exposure, and a few innovative ways to reduce exposure in some trickier environments, like audio recordings. There are solutions available for pretty much every challenge. If you have the right guidance and insights, you can navigate the best way to move forward.
Also, be sure you have a practical Incident Response Plan (IRP) in place. Your IRP should be tested on a regular basis and adjusted as lesions are learned.
S: What do you think are the odds of actually experiencing a data breach?
J: In this digital age, it doesn’t take much to get breached. A useful rule of thumb – unless you know you’re not breached, you probably are. At this moment, your environment may already be compromised; your data stolen and already for sale on the dark web, or even eBay! I have found my own personal data for sale—one of my login credentials. It was an old password, but it was still surreal to see.
S: Wow, that is scary! So, moving along, how do you see PCI DSS evolving or changing in the near future? How can organizations – including contact centers – simplify compliance as it becomes more complex?
J: PCI will continue to evolve in response to the changing technology and threat environment. Most changes to the PCI DSS can directly be mapped to emerging threats, and in some cases, specific breaches.
The cybersecurity environment is complex and changes rapidly, and is difficult to predict. Instead of focusing on specific scenarios, I can offer a few suggestions which will help you prepare for anything.
S: Great – please share!
J: Sure. My first suggestion is to simply get educated. Understanding PCI DSS is essential for any strategy to improve security and compliance, but few people make an effort to understand it. If you want to learn the details, hire experts like a QSA, to help you make sense of your situation and set priorities.
Next, consider the mantra, “Reduce, reduce, reduce!” Minimize your threat surface, minimize the card data you process and store. If you don’t need it, get rid of it (or don’t handle it in the first place and expose yourself to an unnecessary threat).
Lastly, ensure you are familiar with PCI DSS requirements 12.8 and 12.9. Be prepared for clients to request written agreements acknowledging your responsibilities regarding PCI DSS associated with your services, and know how to complete a responsibility matrix for each of your clients. Understanding these requirements will improve your relationship and help you focus your security and compliance efforts.
S: This has been a very helpful conversation with a lot of great advice. Thanks for your time, Jon!
To learn more on PCI DSS compliance and cybersecurity challenges from Forgenix and Semafone, check out our on-demand webinar, Improving Cybersecurity in the Contact Center: How to Reduce the Risk of a Breach.