Let’s Get Physical: How to Comply with the PCI DSS’ Physical Security Requirements

When you think of a data breach, odds are that notions of a hacker deviously tapping into a computer mainframe or network infrastructure come to mind. However, not all data security incidents result from cyber attacks – many stem from physical breaches. In fact, one in four breaches in the financial services industry alone is due to lost or stolen devices (by comparison, one in five is attributed to hacking).

Thus, it’s no surprise that the Payment Card Industry Data Security Standard (PCI DSS) outlines specific guidelines for securing cardholder data environments (CDE) from a physical standpoint. This means protecting devices and systems (desktops, laptops, point-of-sale terminals, servers, routers, phones and other equipment), as well as the facility itself (office buildings, retail stores, data centres, call and contact centres and other structures).

With unauthorised access to any one of these, criminals, fraudsters and rogue employees could swiftly access, remove, rig or tamper with a device that touches or stores cardholder data (CHD) and payment information. For example, fraudsters are increasingly implementing “skimming” devices to compromise credit and debit cards at ATMs and petrol station pump terminals. While the shift to EMV chip-enabled cards is designed to mitigate this growing issue, risks remain.

Complicating the situation is that not all CHD is stored electronically. Often, merchants (especially small businesses) retain printed copies of customer payment card data and receipts. Should these materials fall into the wrong hands, the merchant may face hefty fines for noncompliance, lose customer trust and suffer long-term reputational damage.

> Download Now: PCI DSS Compliance Checklist for Call & Contact Centres  <http://info.semafone.com/download-now-pci-compliance-checklist-0>

10 Steps to Restricting Physical Access to Cardholder Data

Fortunately, Requirement 9 of the PCI DSS outlines specific criteria for restricting physical access to CHD. As the requirements state, “Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hard copies and should be appropriately restricted.” These requirements are broken down as follows:

    1. Use appropriate entry controls to limit and monitor physical access to systems in the CDE: This includes implementing controls such as: identification badges/readers and other forms of verification for those entering the area; installing video cameras at internal and external entries and exits; and using alarm systems where applicable. Don’t forget to protect publicly accessible network jacks, wireless access points, gateways, handheld devices, networking/communications hardware and telecommunications lines. Any one of these mechanisms can be used to gain unauthorised access to CHD.
    2. Develop procedures to easily distinguish between onsite personnel and visitors. As defined by the PCI DSS, onsite personnel can include full-time, part-time or temporary employees and consultants, while visitors comprise third-party vendors and guests who are present for brief amounts of time. The PCI DSS suggests giving each of these individuals a unique ID (such as a badge) to determine who should and shouldn’t have accesses to areas where CHD is stored.
    3. Control physical access for onsite personnel to sensitive areas based on their individual job function: If a staff member, like a customer service representative (CSR) or agent, doesn’t require access to a particular area in order to perform their job, they shouldn’t have access. Upon an employee’s termination, immediately revoke or disable physical access mechanisms and devices, such as keys and badges.
    4. Implement procedures to authorise visitors. The PCI DSS suggests not only escorting guests, but also giving them some sort of physical token with an expiration date upon their entry. Visitors must surrender the token before leaving the facility or at the date of expiry. Also, keep a visitor log to maintain an audit trail of guests who enter and leave the facility.
    5. Physically secure all media. This includes but is not limited to: computers; removable electronic media; paper receipts; paper reports; and faxes. Even a thumb drive containing CHD could be easily swiped if left on an agent’s desk unattended. When possible, store media back-ups off-site with a compliant third-party.
    6. Control the internal and external distribution of media: Enforce and maintain rigorous policies for distributing media containing CHD. Moreover, classify all media devices to more easily pinpoint which hold CHD and maintain a log for when and where the media is distributed. All distributions must require management approval.
    7. Keep accurate inventories of media: Maintain strict control over the storage and accessibility of media. If you don’t inventory these items, stolen or lost media may go unnoticed for a long period of time – putting you and your customers’ CHD at risk.
    8. Destroy media when you no longer need it for business or legal reasons. Shred, incinerate or pulp hard copies and wipe, degauss (remove the magnetic field) or physically destroy electronic materials. In addition, secure any storage containers used for materials that are to be shredded or destroyed so that criminals can’t recover them for fraudulent use.
    9. Protect devices that capture payment card data via direct physical interaction with the card: This prevents criminals from stealing CHD by manipulating card-reading devices and terminals (i.e. skimming). Don’t forget to keep an inventory of these devices and inspect them periodically for signs of tampering.
    10. Document all policies and procedures: Keep a detailed description of all physical security policies and operational procedures. All parties with access to CHD should be aware of this documentation and properly trained to abide by these policies.

Physically Securing Your Contact Centre

Because call and contact centres intrinsically handle payment card data and other personally identifiable information (PII), they are attractive fraud targets. However, outdated processes – such as requiring callers to read payment card numbers out loud over the phone – heighten the need to strengthen physical security in accordance with the PCI DSS.

For example, an agent may copy down verbalised CHD on a notepad for fraudulent use. If that agent leaves the note unattended, another fraudster could easily swipe it from the workstation. Further, if the note is discarded in a waste paper bin, a cleaning crew member could pick it up and fund an online shopping spree.

In another scenario, a fraudulent individual inside the business, such as a security guard, could manipulate the closed-circuit television (CCTV) system so that it points towards agents’ workstations and captures CHD from computer screens. By illicitly accessing these recordings, this fraudster could enjoy a wealth of PII at their fingertips. Moreover, a rogue employee or third party (like an IT consultant) could discreetly install a Remote Access Trojan (RAT) on agent desktops, giving the fraudulent individual access to databases of CHD and PII from their home computer.

While clean rooms (where agents have no writing utensils, paper, phones or bags and must pass through a security checkpoint) mitigate some of these risks and solve a handful of compliance woes, they create unfavourable working conditions that attribute to agent turnover.

Download Now: PCI DSS Compliance Checklist

Descope Your Contact Centre to Strengthen Physical Security

The challenge with physical security systems and processes is that there is always the possibility of failure. Criminals are becoming smarter and more devious – finding new ways to access sensitive data, no matter where and how it’s physically stored. The best way to truly ensure that your customers’ payment card data and other PII are protected is to descope your infrastructure and remove as much of it from your contact centre environment as possible.

Dual-tone multi-frequency (DTMF) masking technologies, like our flagship Cardprotect solution, can help by keeping CHD out of your network and out of the wrong hands. With a combination of such technologies and keen attention to the PCI DSS, you can make your contact center an ultra-high security zone in no time – protecting your customers, your employees and your brand.

Contact us now to learn more about how Cardprotect can help you comply with the PCI DSS.

Let’s Get Physical: How to Comply with the PCI DSS’ Physical Security Requirements
Semafone