How can my contact center become PCI DSS compliant? A check list of considerations

PCI DSS

How can my contact center become PCI DSS compliant? A check list of considerations

After three years of discussion, a new EU Data Protection Framework has been agreed. The new General Data Protection Regulation (GDPR) replaces the current Data Protection Directive. Whilst it won’t come into force for a couple of years, it’s important that your organization starts preparing now, as it will have a very substantial impact on all entities that handle the data of EU customers.

To comply with the GDPR, organizations will need to embrace three core regulatory components: a new โ€˜compliance journeyโ€™; a new transparency framework; plus an enforcement, sanctions and remedies framework.  If a breach occurs, the incident will need to be actively reported to the regulators and those affected may have to be notified too.

There will also be more substantial financial penalties in the event of a breach โ€“ potentially up to โ‚ฌ20m or 4% of annual worldwide turnover, whichever is greater.

So with payment card security constantly under the spotlight and with consumers increasingly worried about data security and identity fraud, with some well publicised examples of data breaches keeping the issue in the public eye, PCI DSS compliance in your contact center is  even more important than ever.

Here are twelve core areas you need to concentrate on:

  1. Install and maintain a firewall configuration to protect cardholder data โ€“ a firewall controls the computer traffic thatโ€™s allowed between your internal network and untrusted external networks, as well as controlling traffic to the more sensitive inner areas of your network such as the cardholder data environment. A strong firewall is a key part of protecting any computer network.
  2. Change all your vendor-supplied system passwords – it’s amazing how often we see clients who are using the default password that came with their system.  We recently heard of a client whose password was set to ‘changemenow’. System default passwords are widely known and easily guessable. If you don’t change these, it’s the equivalent of leaving the front door of your house on the latch and then being surprised when someone breaks in.
  3. Protect stored cardholder data โ€“ the key here is to keep cardholder data storage to an absolute minimum. If you donโ€™t need to store the data then donโ€™t store it (and remember, you are never allowed to store the CV2/card security number at all after authorisation). If you do need to store it then there are ways that you can reduce your risk. For example, you could tokenise card data so you donโ€™t store the full long card number (PAN) either, and you should always ensure that youโ€™re not transmitting unprotected PANs using insecure communication methods such as email, instant messaging and VoIP. And youโ€™ll need to remove or delete card numbers captured in historic call recordings (as well as making sure you donโ€™t record these details in future or ensuring that they are encrypted).
  4. Encrypt transmission of cardholder data across open, public networks โ€“ make sure that youโ€™re using strong cryptography and security protocols for this.
  5. Use and regularly update anti-virus software – it’s critical to stay on top of this. New viruses and ways of breaching security are constantly being developed so you need to make sure that you’re always running the latest version of your anti-virus software. It’s not enough just to install it – you need to update it whenever required as well.
  6. Develop and maintain secure systems and applications โ€“ make sure that any applications you install or components that are developed for your system are completely up to date in terms of having vendor-supplied security patches installed. Make sure that any web applications you develop are based on secure coding principles. Keep up to date with newly discovered security vulnerabilities that might be relevant to your business and make sure that you address them as soon as you become aware of them.
  7. Restrict access to cardholder data by business need-to-know – think carefully about who actually needs to have access to your data, particularly your customersโ€™ sensitive card details. Access to this data should be on a very strict need to know basis only. If someone doesnโ€™t need the data in order to do their job, then they shouldnโ€™t have access to it. To keep the sensitive payment card numbers out of your contact center altogether, you can deploy a DTMF phone touchtone payment system such as CardEasy, so customers enter their own payment card numbers using the keypad of their own phone, bypassing the contact center environment altogether, including staff and call recordings (as well as significantly reducing your PCI DSS compliance requirements since there is no longer any data to protect).
  8. Assign a unique ID to each person with computer access โ€“ You need to make sure that everyone has a unique ID that they and only they use to log onto your systems. Doing this helps you create an audit trail so you can see who has been in your systems and what theyโ€™ve done while in there.
  9. Restrict physical access to cardholder data โ€“ itโ€™s not just a question of restricting computer access to sensitive data but also controlling whoโ€™s able to access which parts of your premises.
  10. Track and monitor all access to network resources and cardholder data โ€“ keep track of who is accessing the various areas of your network and your card holder data and make sure that nothing untoward is happening. File monitoring software can alert you to any unauthorized access or attempted access as well as to any attempts to modify critical system files.
  11. Regularly test security systems and processes โ€“ donโ€™t just assume that because your processes worked six months ago, theyโ€™ll still be working now. Things change all the time in the world of cyber security and the pace of change is fast. You need to keep on top of things by regularly testing all your security processes and procedures to make sure that theyโ€™re up to date and functioning as they should be.
  12. Maintain a policy that addresses information security โ€“ information security isnโ€™t just about the processes and procedures. Itโ€™s also about creating a culture of security within your organization. You should set out a clear policy on information security and ensure that all staff understand it. Think about how you induct new staff and help them understand your security policies. Think about how to make sure that existing staff keep their skills and knowledge up to date and donโ€™t become complacent. A concern for data security and an understanding of why itโ€™s so important needs to be threaded throughout your whole organization, from top to bottom. Under the new EU GDPR, larger organizations (those handling significant amounts of sensitive data or monitoring the behaviour of many consumers) will have to appoint a Data Protection Officer to oversee this (if they have not already done so).