Established by the Payment Card Industry Security Standards Council (PCI SSC), the PCI DSS is a set of requirements for securing payment transactions and protecting cardholders against misuse of their personal information. Non compliance with the requirements can mean significant fines and the loss of the privilege of accepting payment cards. You can learn more about the PCI DSS here.
The PCI DSS applies to any entity that stores, processes, or transmits cardholder data. Even though the PCI SSC defines multiple levels of merchants & service providers, the requirements remain the same for all merchants and service providers.
There are, however, specific reporting requirements dependent on merchant level. Onsite assessment by a Qualified Security Assessor (QSA) is required for level 1 merchants and self assessment via the Self-Assessment Questionnaires (SAQ) is required for merchant levels 2-4.
As the number of digital transactions grows everyday, so does the amount of fraud. The risk for merchants to suffer a data breach has never been greater, and the consequences of suffering one can be far reaching, resulting in monetary penalties and more often than not, irreparable damage to brand reputation.
While compliance with the PCI DSS does not ensure protection against a data breach, taking the steps outlined in the standard can greatly help to reduce the risk of one. Not to mention that non compliance can result in fines imposed by the major credit providers.
In 2018 the PCI SSC updated the PCI DSS Guidance for Protecting Telephone-Based Payment Card Data, catching up with technology for the first time since 2011. The security landscape and payment channels are constantly changing, particularly within the call and contact centre space with the use of VoIP, softphones and chatbots extending the scope of the PCI regulations. The updated guidance addresses these advances and provides much needed clarity around auditing and payment card data security and protection. The most important changes to the guidelines are outlined below.
Keep softphones separate. The emergence of VoIP and softphones, which are often connected to the desktop environment processing payments, can result in the entire system becoming “in scope” of PCI DSS and subject to its stringent controls. As a result, it is strongly recommended that contact centres fully segment their data and telephony networks.
Organisations must ensure all DTMF tones, including any DTMF bleed, are not present in their environment. The guidance states, “It is important to ensure that all DTMF tones, including any initial small portions of ‘DMTF bleed’ that may be inadvertently allowed through a masking process, are not present in the environment.” This means that QSAs will now check to ensure DTMF bleed doesn’t occur when using DTMF masking solutions.
Any cardholder data captured in call recordings brings more checks than ever.
QSAs now have clear guidelines regarding call recordings and the capture of sensitive authentication data. Both manual and automated “pause and resume” systems, whereby recording is briefly stopped, are deemed to run the risk of accidentally capturing payment card details. If a contact centre is using either of these solutions, QSAs can demand extensive evidence of measures to protect this sensitive data. Multi-factor authentication controls need to be added to call recording solutions, as well as to storage and search tools, and QSAs are empowered to conduct invasive auditing to ensure that additional controls have been put in place effectively.
Third-party service providers are in scope if they provide more than a dial tone.
The new guidance specifies that any call service, from a “transfer” to a “call recording”, that is provided by a third party, will bring that provider into scope of the PCI DSS. The only service that is exempt is a simple voice communications connection, or “dial tone”.
Devices that control Session Initiation Protocol (SIP) Redirection are in PCI DSS scope.
The new guidance recognises that redirecting a call to a secured line, just for the payment process itself, exposes it to a potential risk of interception or diversion by hackers. As a result, all such devices, on or offsite, controlling redirection are vulnerable and therefore fall into the scope of PCI DSS and are therefore subject to the full range of controls.
Removing the card data from the contact centre is the only secure solution.
Lastly, the updated guidance recommends scope reduction techniques and technologies, including managed and unmanaged dual-tone multi-frequency (DTMF) masking solutions, such as Semafone’s Cardprotect. These solutions entirely remove cardholder data and other personal information from the contact centre environment. Callers enter their card numbers via their telephone keypad, remaining in full communication with the agent throughout. The DTMF key tones are masked with flat bleeps, so they cannot be identified by their sound. This prevents any sensitive card information form coming into contact with the agent, with call recording technology and with any other desktop applications. The card data is sent directly to the payment processor, bypassing the contact centre completely.
In addition to the twelve high level requirements the PCI SSC outlines in the Data Security Standard, there are numerous subrequirements, and potentially hundreds of controls to apply. Simply put, the PCI DSS considers any person, system, or piece of technology that touches payment information as “in-scope.” In the context of a contact centre that takes payments, this means that all customer service representatives (CSRs), telephony equipment, IT infrastructure, software, even security cameras will be in scope for compliance.
To minimise the scope of the compliance project and reduce the amount of applicable PCI controls that must be implemented, organisations must decrease the amount of systems and infrastructure that comes in contact with cardholder data. Learn more about descoping in the video to the left.
When customers provide payment information to your contact centre agents, who then enter the data into their desktop application, PCI DSS compliance may involve many complex checks and controls. In fact, you may have to apply over 400 controls to the desktop and the network on which it operates. Other key security considerations include:
These measures are time-consuming, costly and detrimental to the call centre’s working environment.
One of the biggest challenges with PCI DSS compliance involves call recordings, as many call centres record calls for regulatory compliance, quality assurance or legal reasons. Unfortunately, the PCI DSS prohibits the recording of some aspects of telephone payments. To avoid noncompliance and fines, call centres traditionally rely on three methods when taking payments via phone. However, these methods present several downfalls:
Automated interactive voice recognition (IVR) payment solutions:
Using voice recognition or keypad entry, these systems allow call centres to take payments without recording card details. However, customers often do not know how to correct miskeyed information and are likely to hang up the phone at the first sign of difficulty. This means they end up giving their payment details to an agent rather than a machine, thus exposing the agent to sensitive information. IVR systems can also increase average handling time (AHT) and reduce first contact resolution (FCR), which both negatively impact the customer journey and can increase call centre costs.
“Pause and resume” call recording solutions:
Pausing the call recording the moment a payment is taken is often a suggested way for call centres to comply with the PCI DSS. However, both the agent and the desktop computer in use are still within scope for PCI DSS – the agent hears and inputs the information, which passes through the network infrastructure. In addition, pause and resume solutions are prone to failure, especially if they are manually operated by an agent who may forget to pause the recording and accidentally log sensitive data.
Call recording encryption solutions:
Many organisations believe that encrypting their call recordings will manage the risks of storing sensitive card data. However, PCI DSS explicitly prohibits the storing of SAD (including CVC2 and CVV2 security codes), which should not be stored under any circumstances, even if encrypted.
The most effective way to protect customer data, comply with the PCI DSS and minimise the ongoing cost of securing your infrastructure is to prevent sensitive payment information from entering your call centre environment in the first place.
With Semafone’s Cardprotect, you can eliminate inefficient compliance efforts and call recording measures by descoping the call centre (or, reducing the number of required applicable controls). Cardprotect removes sensitive data from the business infrastructure, dramatically reducing PCI DSS compliance costs and risks associated with fraud and allowing your enterprise to focus on business as usual.
Semafone offers a patented technology to achieve this: removing the agent, their desktop and the wider IT and telephony systems from any contact with card data.
In the UK, the Financial Conduct Authority (FCA) requires financial firms, including brokers, banks and investment managers to record complete phone conversations. The FCA deems that full recordings are useful across all sectors to assuage transaction disputes and ensure that customers are treated fairly, consistently and are given the correct information and advice. However, this causes problems for financial services call centres. Although they must record calls to meet the FCA’s requirements, they cannot record or store Sensitive Authentication Data (SAD) to comply with the PCI DSS.
Semafone’s Cardprotect allows call centres to meet both requirements, as its dual tone multi frequency (DTMF) masking solutions blocks payment card information from call recordings. Financial services call centres can still record full conversations, without worrying about logging sensitive data, which is kept completely out of the call centre environment.