Credit Card data is the Crown Jewels for hackers and the financial lifeblood of many companies. An Account Data Compromise, also known as a breach can lead to bad press and a bad reputation, you only need to Google Play.com or Lush to see the impact.
With the 18th March 2011 launch of the PCI Councils “Protecting Telephone Based Payment Card Data” on Call Centres it is worth noting that, according to research from Connected World 36.7% of contact Centres claimed to be fully compliant with the Payment Card Industry Data Security Standard (PCI DSS).
However, the majority (89%) admitted to not understanding PCI DSS, the requirements nor penalties.
There are many business and regulatory requirements that impact Call Centres, especially the recording of telephone calls, for example in the United Kingdom, the Financial Services Act.
The act of recording a call can break the rules of PCI DSS as most calls will involve the recording of ALL the data. Data such as, CAV2, CVC2, CVV2 or CID, which should never be recorded. Storing the PAN and Expiry data is acceptable so long as the data is encrypted and the Merchant has acted on all the questions within SAQ D or undertaken a formal Audit if they are a level 1 Merchant.
The number one piece of advice for Call Recording is DO NOT DO IT unless you really have to.
However, the recording of the calls and storing of Credit Card Data in an encrypted format are small parts of the issue facing Call Centres.
By considering the following points and reviewing the documents on the PCI Resource page you can go a long way towards achieving a PCI compliant Call Centre.
- Employee vetting is the first step in ensuring a secure Call Centre.
- There needs to be a formal employee induction programme where employees learn about the company’s policies (rules) and the ramifications of breaching the policies.
- Specifically, there needs to be a documented Policy on how employees handle Calls and Data resulting from the Calls, especially Credit Card Data?
- The Merchant needs to communicate the Policy to all employees that have access to Credit Card Data.
- Do employees regularly receive training on the Policy and its importance? They should do.
- Are employees made aware of their IT Security responsibilities?
- Security Awareness training needs to be provided, for example, how to deal with the threat of computer viruses, how to report suspicious activity, etc
- Security Awareness has to be promoted, for example, on posters and in newsletters.
- Do supervisors/managers enforce a clear desk Policy? For example, no MP3 players, no note pads or any other methods to record information.
- Access to photocopiers and scanners needs to be restricted.
- Restricting physical access to the Call Centre should be considered.
- Call Centres should be restricted to employees only and visitors need to be escorted.
- All paperwork leaving the Call Centre should be shredded to avoid the unnecessary risk or Personally Identifiable Information (PII) finding its way into the public domain.
- Consideration should be made to CCTV
- Do all employees have unique logon identities?
- Are strong passwords enforced?
- Are passwords changes enforced every 30 days, or less?
- Are password changes significantly different after every change? For example, not simply adding a 1 or a 2 at the end of previous password.
- Home and remote workers need to have local security installed, for example, personal Firewalls and Anti Virus.
- Do systems and servers that store credit card data, for example, CRMs and Databases, have access restricted on a need to know basis?
- Are logs taken and stored for system and networks where data is stored?
- Is the Merchant’s network and systems attached to the network adequately protected against viruses, hackers and other threats?
- Are these systems regularly scanned and patched for vulnerabilities. PCI DSS requires that all systems and networks with the scope of the card data environment be scanned by an Approved Scanning Vendor at least quarterly.
- Is the Merchant’s security regularly tested? For example, by having Penetration Tests.
- Does the Merchant have a plan on how to deal with a breach and is this plan tested? This is often called an Incident Response Plan and can be tuned to deal with all types of breaches for example, the Epsilon Email Breach.
In summary, PCI DSS is not the only area on compliance affecting the Call Centre but PCI DSS does help focus the business on what security, processes and procedures are required to achieve best practice.