Control Gap Inc
As more technologies enter the call center, securing sensitive customer data becomes increasingly challenging. Thankfully, we have the Payment Card Industry Data Security Standard (PCI DSS) to help address these ongoing challenges and ensure the protection of customers’ most sensitive data. However, while the PCI standards are vital to preventing data breaches that could damage your company’s reputation, many businesses still struggle to meet their compliance obligations.
If you are unsure where to begin in evaluating your compliance efforts, follow these three simple steps:
1. Understand how your people and processes deal with credit card information.
Do you know what actually happens when your business handles payment card data? Spend time to understand the technologies in play and the components that see card data, as well as the data itself. In a call center context, cardholder (and sensitive authorization) data includes the primary account number (PAN), security validation codes, and PINs regardless of the form or media type. In addition, digitized voice, voice recordings, recordings of IVR/DTMF tones, images, videos, text data and hard copy all must be protected.
As you observe the ins and outs of how you handle payment data, look for the unexpected and “off-the-books” processes. For example, it is not uncommon for call center employees to use workarounds and improvisations to complete their jobs, leading to databases full of PAN in the free-form text fields. Or, customers may provide card information when it is not needed and it is unnecessarily stored. Figure out where the data flows, where it resides and why it’s there.
2. Observe the relationship between your technology and your data.
PCI requires the protection of card data, not just with encryption of transmission and data at rest, but also with policies and processes, physical controls, system and network access controls, anti-malware controls, logging and monitoring, patching and robust vulnerability management, and training and awareness. These are controls that must be evaluated across your organization’s entire compliance footprint. Therefore, as more technologies enter call center operations, the scope of PCI compliance grows.
For example, VOIP systems bring networks and connected systems into your PCI scope. They may also support functionality like call cloning/monitoring (which need to be controlled), while the VOIP transmissions themselves must be encrypted. Likewise, Bluetooth-enabled devices such as headsets and keyboards need to be considered as well. While newer Bluetooth devices support strong encryption, many do not. You may also need to protect call recordings with encryption, access controls and logging. If recordings contain sensitive authentication data, it needs to be removed, or alternately, you must demonstrate that it cannot be mined or queried.
As you take a closer look at your technology environment and how it relates to the data you handle, ask the following questions:
- What technology components touch the data and what components support them?
- How large are connected systems’ networks?
- What systems that have nothing to do with handling card data can potentially see the data?
- Are you encrypting all stored and transmitted data?
- How are you dealing with securely deleting any sensitive authentication data?
- How are you dealing with risk associated with technology limitations?
- Are you outsourcing any of this function or any support for this function? How do you know that security and compliance objectives are met, and how will you demonstrate these functions’ compliance?
- Do you know your compliance status? Are there other risk mitigations or controls that need to be accounted for to support your compliance?
3. Create a Plan of Action
Once you understand your data, how it’s handled and the technologies involved, it is time to create a plan of action. This involves first performing a gap analysis, applying risk analysis to the results and finally, planning your remediation. Some measures will be clear and obvious, while others will be trickier, requiring careful consideration of the intent of PCI and specific risks:
- Think about your business processes. Remove data you don’t need to reduce risk, and achieve and sustain compliance. Support this with training and awareness initiatives.
- Consider technological steps to reduce the size of your compliance footprint.
- Spend time on the tricky problems to make sure your solutions are justified and defensible based on risk.
- Validate your solutions and approaches.
- Pay attention to the due diligence and formalization of specific PCI responsibilities required when outsourcing.
- Address any data cleanup issues.
- Do not make assumptions or ignore issues.
If your plan involves evaluating new technologies, take the time to make sure they meet both your needs and PCI requirements. For example, encrypting payment terminals, while useful in card present solutions, only simplify outbound acceptance channels. You still need to address the inbound channels (e.g. calls, faxes, and letters). The same goes for tokenization – you’ll simplify requirements where you need to store card data, but leave inbound channels unaddressed. Also, consider whether your solutions will hold up over time and against the inevitability of human error. Be sure to periodically monitor for and correct errors. Use risk as your guide, but make sure an actionable plan is in place.
Remember: a security breach of any kind, not just a card data breach, is extremely harmful to your business. By taking the right steps to ensure PCI compliance within your call center – the most vulnerable channel – you are demonstrating your commitment to your customers, thereby setting your organization up for success.
Take a look at the original post here.