How can my contact centre become PCI DSS compliant? A check list of considerations from Simon Beeching of Syntec
After three years of discussion, a new EU Data Protection Framework has been agreed. The new General Data Protection Regulation (GDPR) replaces the current Data Protection Directive. Whilst it won’t come into force for a couple of years, it’s important that your organisation starts preparing now, as it will have a very substantial impact on all entities that handle the data of EU customers.
To comply with the GDPR, organisations will need to embrace three core regulatory components: a new ‘compliance journey’; a new transparency framework; plus an enforcement, sanctions and remedies framework. If a breach occurs, the incident will need to be actively reported to the regulators and those affected may have to be notified too.
There will also be more substantial financial penalties in the event of a breach – potentially up to €20m or 4% of annual worldwide turnover, whichever is greater.
So with payment card security constantly under the spotlight and with consumers increasingly worried about data security and identity fraud, with some well publicised examples of data breaches keeping the issue in the public eye, PCI DSS compliance in your contact centre is even more important than ever.
Here are twelve core areas you need to concentrate on:
Install and maintain a firewall configuration to protect cardholder data – a firewall controls the computer traffic that’s allowed between your internal network and untrusted external networks, as well as controlling traffic to the more sensitive inner areas of your network such as the cardholder data environment. A strong firewall is a key part of protecting any computer network.
Change all your vendor-supplied system passwords – it’s amazing how often we see clients who are using the default password that came with their system. We recently heard of a client whose password was set to ‘changemenow’. System default passwords are widely known and easily guessable. If you don’t change these, it’s the equivalent of leaving the front door of your house on the latch and then being surprised when someone breaks in.
Protect stored cardholder data – the key here is to keep cardholder data storage to an absolute minimum. If you don’t need to store the data then don’t store it (and remember, you are never allowed to store the CV2/card security number at all after authorisation). If you do need to store it then there are ways that you can reduce your risk. For example, you could tokenise card data so you don’t store the full long card number (PAN) either, and you should always ensure that you’re not transmitting unprotected PANs using insecure communication methods such as email, instant messaging and VoIP. And you’ll need to remove or delete card numbers captured in historic call recordings (as well as making sure you don’t record these details in future or ensuring that they are encrypted).
Encrypt transmission of cardholder data across open, public networks – make sure that you’re using strong cryptography and security protocols for this.
Use and regularly update anti-virus software – it’s critical to stay on top of this. New viruses and ways of breaching security are constantly being developed so you need to make sure that you’re always running the latest version of your anti-virus software. It’s not enough just to install it – you need to update it whenever required as well.
Develop and maintain secure systems and applications – make sure that any applications you install or components that are developed for your system are completely up to date in terms of having vendor-supplied security patches installed. Make sure that any web applications you develop are based on secure coding principles. Keep up to date with newly discovered security vulnerabilities that might be relevant to your business and make sure that you address them as soon as you become aware of them.
Restrict access to cardholder data by business need-to-know – think carefully about who actually needs to have access to your data, particularly your customers’ sensitive card details. Access to this data should be on a very strict need to know basis only. If someone doesn’t need the data in order to do their job, then they shouldn’t have access to it. To keep the sensitive payment card numbers out of your contact centre altogether, you can deploy a DTMF phone touchtone payment system such as CardEasy, so customers enter their own payment card numbers using the keypad of their own phone, bypassing the contact centre environment altogether, including staff and call recordings (as well as significantly reducing your PCI DSS compliance requirements since there is no longer any data to protect).
Assign a unique ID to each person with computer access – You need to make sure that everyone has a unique ID that they and only they use to log onto your systems. Doing this helps you create an audit trail so you can see who has been in your systems and what they’ve done while in there.
Restrict physical access to cardholder data – it’s not just a question of restricting computer access to sensitive data but also controlling who’s able to access which parts of your premises.
Track and monitor all access to network resources and cardholder data – keep track of who is accessing the various areas of your network and your card holder data and make sure that nothing untoward is happening. File monitoring software can alert you to any unauthorized access or attempted access as well as to any attempts to modify critical system files.
Regularly test security systems and processes – don’t just assume that because your processes worked six months ago, they’ll still be working now. Things change all the time in the world of cyber security and the pace of change is fast. You need to keep on top of things by regularly testing all your security processes and procedures to make sure that they’re up to date and functioning as they should be.
Maintain a policy that addresses information security – information security isn’t just about the processes and procedures. It’s also about creating a culture of security within your organization. You should set out a clear policy on information security and ensure that all staff understand it. Think about how you induct new staff and help them understand your security policies. Think about how to make sure that existing staff keep their skills and knowledge up to date and don’t become complacent. A concern for data security and an understanding of why it’s so important needs to be threaded throughout your whole organization, from top to bottom. Under the new EU GDPR, larger organisations (those handling significant amounts of sensitive data or monitoring the behaviour of many consumers) will have to appoint a Data Protection Officer to oversee this (if they have not already done so).
Simon Beeching is Business Development Director at Syntec