Expert insights – John Greenwood on descoping from PCI DSS, DTMF secure payment and GDPR

Expert insights, PCI DSS

Expert insights – John Greenwood on descoping from PCI DSS, DTMF secure payment and GDPR

Our second Expert Insight interviewee is John Greenwood, Executive Director of Compliance3 and contact center, GDPR and PCI expert. 

Please can you tell me something about your background and what your current role is and your involvement in payment card security?

My background is in customer contact outsourcing where my role has always been on the commercial side, translating client financial objectives into operational deliverables. I’ve done that for large national and global providers as well as my own company. Starting in the early 90’s in telemarketing, I went through the transition from call center to contact center and have witnessed the reality of brands treating customer data as almost external, to today, where data is core.

My work has always been about supporting large transition projects, helping organizations bring the customer closer to the center of their operations. At the beginning that meant helping technology brands launch their ISP, financial services firms launch their direct offerings, mobile phone companies launch their UK brands. Later that translated to helping brands launch their home shopping and ecommerce operations and supporting multi-channel contact.

I’ve also done my bit for the UK contact center industry, being on the Call2Contact Board of e-Skills, the first Skills Council representing outsourcers and small business and was part of the team that set up the Outsourcers Group within the CCA and Call-Northwest.

In 2011 I was asked to help solve a payments compliance challenge for one of Worldpay’s larger merchants who were outsourcing their contact center estate. What made this different was that there were millions of legacy call recordings within the card data environment (CDE) that were in scope of PCI DSS and maintaining access to those files was a key part of the requirements. The successful outcome allowed them to be the first merchant globally to have no CDE but still have access to the legacy call recording file. On the back of that, I was introduced to the PCI Council and was then asked to head up a team to draft a rewrite the secure telephone payment guidelines, and that’s still on my desk now.

I helped set up Compliance3 in 2014 to help organizations try and get the balance right between customer experience and compliance in payments and personal data. We are technology agnostic and still spend a lot of time contact centers talking about PCI DSS.

What do you think are the main challenges that face contact center managers these days that are trying to ensure payment card security?

The biggest challenge for contact center managers is having a board champion to implement a holistic data security strategy that includes the security of payment card data. It’s the lack of those strategic plans that makes life very challenging for the contact center manager.

In what way?

A strategic plan should consider how to deal with payment card data. Typically, the security of payment card data and compliance with PCI DSS sits with technology departments because it’s a security requirement and it’s not the law. Therefore, it’s a contractual obligation between the merchant and their acquirer or between a third party service provider and their clients. The lack of a strategy just continues to put an obligation on the IT department to meet the requirements of the PCI DSS.

If a strategy is designed to reduce the overall time, cost and effort in maintaining PCI DSS compliance, then that strategy should be to avoid establishing a card data environment in the first place. If the call center manager was given that strategy to deploy, then they might have more choices on how to keep card data secure.

Why is it then that organizations are not adopting that strategy?

Lack of understanding, driven primarily by the current PCI DSS guidelines being so far out of date. A vacuum has appeared within which telephony service providers and technology vendors in the contact center space haven’t had the guidance or been given the awareness, knowledge and understanding of the impact of cardholder data on the scope of PCI DSS.

The current guidelines date back to 2011. They were pushed out by the Council before scope reduction technologies were readily available in the market. The current guidance document on securing telephone payment data references an earlier version of the standard, version 2, but we’re already on version 3.2.1, so the guidance isn’t up to date. Therefore, boards of directors and other decision-makers have not perhaps had the written guidance that they would have relied on in the formation of a strategy.

I also think that the GDPR has heightened awareness of data security, has brought data security into the Board’s environment and, hopefully, has shared the load with over-burdened information security or IT departments over the last decade, where those departments have had to battle with the business as usual demands.

Is there also an issue with multiple stakeholders within organizations leading to a lack of clarity regarding where ownership of card security sits?

Yes, there is. Simply because that means there is no real owner. Typically, PCI DSS ownership has sat with the treasury department rather than the IT department because treasury own the relationship with the acquirer, and payment cardholder data security is a contractual obligation between the acquirer and the merchant. So, whoever owns the relationship with the acquirer should ultimately own the contract and in the contract is all about data security. Treasury might push that out to IT but I don’t think there should be any ambiguity about ownership.

What there’s ambiguity about is how best to deal with the costs, the time and effort and resources required to maintain compliance, and where that sits in the priority list.  Cardholder data is now personally identifiable information, which means that it falls within the GDPR.

We brief our clients on the advantages of considering PCI DSS within their GDPR readiness projects. Don’t leave card data behind, bring it in as part of the project and you’ll kill two birds with one stone. You’ll meet your legal obligations of the GDPR and at the same time, you should reduce the time, cost and effort in maintaining the contractual obligations of your acquirer.

Do merchants see PCI purely as a cost or do they see a benefit too?

Historically PCI DSS has been seen as a cost. It’s been seen as an unwanted cost and it’s generally ‘a pain in the backside’. I think that’s changing because of the GDPR and how GDPR transition projects have put data security higher up the corporate agenda.  It’s only over the last 12 to 18 months that people have seen the benefit of establishing a ‘no card data environment’ simply because they realise that such an approach reduces their GDPR footprint and takes those additional risks off the table.  However, somebody still needs to put PCI compliance on the priority list and make someone, either internal or external, responsible for building a solid business case.

What are the best methods of achieving a no card data environment?

For the contact center, it’s to prevent spoken card data entering the organization. In that way, the telephony infrastructure within the organization is taken out of scope. A telephone call is treated as data by many organizations now as they’ve transitioned from what was old cabling to voice being just data and the voice network being part of the data network.

Because of these converged network scenarios, by preventing card data entering that environment using DTMF touchtone entry by the paying customer of the PAN (long card number) and SAD (Sensitive Authentication Data, or CV2) whilst on a call, you negate the need to segment that data.

We’re dealing with a couple of organizations at the moment where their worldwide networks are in scope because spoken payment card data enters their contact centers. If they’ve no scope, then there’s no risk or there’s no card data to secure. It still means that the PCI DSS applies because you’ve got to manage the third parties that are providing the services that are preventing the card data entering your organization. That’s the best way to secure it simply because it means that there’s no card data there to secure.

Why is it still so common for consumers to be asked to read out their card details over the phone?

We did our own research in 2016/17 which clearly showed that nearly 60% of UK consumers would prefer not to have to speak their payment card details to a stranger. Also, over half, 55%, would prefer that organizations met the minimum international data security standards when dealing with their data.

The reason is consumer awareness of data security. On the 25th May the ICO started their own public awareness campaign for GDPR. That’s a good opportunity for the technology vendors supporting PCI scope reduction to make the connection with the efforts of the ICO and to broaden the consumer opinion on securing data.

Up to now, nobody in the technology vendor space has really focused on getting marketing messages direct to the consumer because that would potentially upset the target audience, which is the merchants themselves or the entities supporting them. The vendors simply don’t want to put people off making payments over the phone. They just want it to happen securely. The vendors’ clients actually want to promote the use of the telephone in payments because of the reassurance that it gives the customer of speaking to the brand.

I think there’s now a good opportunity to move marketing messaging towards the consumer. Perhaps we’re moving towards the need for some sort of independent trade association to begin to promote security in spoken payment card data.

How well understood do you think DTMF payment technology is in the marketplace at the moment?

If you gave me one to five, five being very well understood and one being no awareness, I’d probably say amongst call center managers we’re probably at about a three. I sense amongst larger contact centers awareness is higher. I suspect amongst smaller contact centers, i.e. a hundred and less, then there may be some awareness but they’ve not really explored the idea because of cost.

Again, it comes back to the business case. The original business case was based on the risk of fraud. It was based on non-compliance fines for merchants. What’s not really understood or published widely is that in May 2016 the card schemes changed the way they recovered the cost of fraud. Prior to that, the card schemes recovered the cost of fraud as a charge for non-compliance to the acquirers. After that date, they don’t recover the costs by making a non-compliance charge to the acquirers. They only make a charge to the acquirer or directly to the merchant, where there’s that direct relationship, which is mostly the US, in the event of a data breach. The business case then was based on fear of these fines and so forth. The business case now has to be based on some facts, on pure costs, what costs are we going to save. The business case now has to be much more thorough and has to be much more detailed in how it’s put together.