PCI in Practice - The Actions and Considerations to bring your Business up to Compliance

‘Costly to implement, confusing to comply with, and ultimately subjective in their interpretation and enforcement. It is often stated that there are only twelve ‘Requirements’ for PCI compliance. There are over 220 sub-requirements; some of which can place an incredible burden on a retailer and many of which are subject to interpretation.' [i]

Despite being perceived by many organisations as a financial and resource burden, PCI DSS has improved payment security awareness across boardrooms. It is no longer confined to security or risk teams and is a fundamental regulation taken very seriously.

?So, what is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organisations that handle debit or credit card payments.[ii]

The non-governmental regulation was set up by the Payment Card Industry Security Standards Council (PCI SSC), an amalgamation of the five major global card brands. Visa, Mastercard, American Express, Discover, and JCB.

At first, the major card brands had different security programs. All with similar aims to create further protection for card issuers by guaranteeing that merchants meet basic minimum levels of security when they store, process, and transmit cardholder data.

To address interoperability problems among the different standards, a collective effort made by the primary card organisations resulted in the release of version 1.0 of PCI DSS in December 2004.

PCI DSS protects cardholder data anywhere it is processed, stored or transmitted. The security mechanisms and processes required by PCI DSS are crucial for protecting cardholder data whilst reducing the amount of card fraud globally due to the mishandling of the sensitive data associated with payment cards.

Although the five payment card brands maintain their own programmes for compliance, including their own thresholds for PCI DSS compliance, in general, the levels are as follows:

• Level 1: Over 6 million card transactions processed annually
• Level 2: 1 to 6 million transactions processed annually
• Level 3: 20,000 to 1 million transactions processed annually
• Level 4: Fewer than 20,000 transactions processed annually

Before conducting scoping activities, organisations should understand their compliance-reporting obligations by consulting with their acquiring banks or their QSA to confirm their validation requirements.

So far, so good. But what are the direct actions and considerations your business can pursue and take to bring your business up to compliance?

Remove outdated 'pause-and-resume' controls and Switch to DTMF.

Many organisations use 'pause-and-resume' to avoid storing sensitive data on call recordings. It is important to note that pausing and resuming a call recording via manual intervention will not provide compliance. [iii]

Firstly, PCI-DSS guidelines advise that sensitive card data is removed from call recordings automatically, without needing an agent or other staff members to intervene. [iv]

As staff are responsible for pausing the recording, your organisation is open to human error. The agent could forget to pause the recording before taking payment, putting the particular customer at risk.

Even with call recording paused, agents can still hear the card details as they are read out. Agents could write these details down and use or share them for malicious purposes or leave them exposed on their desks for others to see.

The proper practice is to switch to Dual Tone Multi-Frequency (DTMF) masking technology, which stops contact centre agents from handling payment card data. Payment details are keyed in via the customer's telephone keypad, preventing any information from being verbally shared.

Calls no longer need to be routed to a payment card system, meaning the agent can continue speaking with the customer. At the same time, they make the payment, improving the overall experience.

Descope your contact centre

Payment card data is the ultimate prize for hackers. The first step is identifying how to stop your organisation from being on a target list. Rather than trying to keep hackers out, focus on?encrypting your data?and, where possible, ensure there is no data for them to take in the first place.

To ensure card data never enters the enterprise, ?work with a vendor that can provide descoping technologies for payments handled via a contact centre.

Setting up in this way means your organisation complies with the PCI DSS, improving the security of all telephone, IVR, web and SMS financial transactions.

Implementing technologies where the caller enters their card or personal details through their telephone keypad prevents the agent from being exposed to sensitive data.

This method is proving popular with contact centres aiming to increase the volume of home-based and remote agents in their workforce, as they can use the same security systems as their office-based colleagues. Using a PCI DSS accredited Service Provider also means they can continue to run their busy operation without distraction.

Do not store sensitive authentication data after authorisation (even if encrypted). Cardholder data should only be kept if it's necessary to meet the needs of the business.

If you need data storage, limit cardholder data storage and retention time to that required for business, legal, and/or regulatory purposes, as documented in your data retention policy.

'Card data is extremely difficult to compromise if you never handled it in the first place.'

Look to the cloud

Opting for PCI compliance solutions available via the cloud eliminates the requirement to integrate card payment software directly into your organisation's desktop environment. Instead, the process is seamless via smart cloud-based integrations with existing telephony and payment infrastructures. It creates no additional IT burden or management.

Assess your people processes

According to the PCI Security Standards Council, people typically represent one of the highest risks when it comes to data security, whether intentional or accidental. For example, compromises can originate inside an organisation from any person who handles calls or may have access to systems and processes where telephone-based payment transactions are managed.

You can remove this layer of risk by not exposing your staff to payment card details when handling transactions over the phone.

Final Thoughts

The PCI SSC released version 4.0 at the end of March 2022, and on March 31, 2024, PCI DSS v. 3.2. 1 will be retired; version 4.0 will be the only active standard version.

This regulation will not go away, and customer expectations that their data will be protected and agents' expectations that they'll not be exposed to a potential data breach will only become further entrenched as time goes on.

For those interested in understanding security framework standards, the PCI DSS provide knowledge training, and their blog is an excellent source of information.?

References

[i] "Do the Payment Card Industry Data Standards Reduce Cybercrime? A Hearing before the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the Committee on Homeland Security, House of Representatives, One Hundred Eleventh Congress, First Session, March 31, 2009". GPO. March 31, 2009. Retrieved December 2022.

[ii] PCI Security Standards Council. (2023, January 3). Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards. https://www.pcisecuritystandards.org/

[iii] Pause-and-Resume: How secure is it? (2022, October 12). Eckoh UK. https://www.eckoh.com/blog/pause-and-resume-how-secure-is-it. Retrieved December 2022.

[iv]?PCI Security Standards Council (PCI DSS) Version 2.0 ?March 2011.