Cognia - ContactCenterWorld.com Blog
Merchants lost a significantly higher percentage of revenue to fraud in 2014 at 0.68 percent, compared to 0.51 percent in 2013, according to LexisNexis. And ‘pause and resume’ isn’t helping.
‘Pause and resume’ does nothing to address the risk of fraud posed by malicious call center employees and is open to manual and system gaps that can make complete credit card details available to any hacker analyzing call recordings.
Designed originally as a way of complying with the Payment Card Industry Data Security Standard (PCI-DSS), ‘pause and resume’ payment processing has since proved to be ineffective, posing significant risks to customer data security.
The risk of fraud, however, isn’t the only hidden cost of ‘pause and resume’.
There are three main costs, beyond fraud, that call center managers should be aware of when assessing if ‘pause and resume’ is still fit-for-purpose in their business.
The hidden cost of compliance
There are 904 separate reporting entries in PCI DSS version 3.0 and they take time and money to comply with. ‘Pause and resume’ does nothing to reduce this cost.
On the other hand, cloud-hosted dual-tone multi-frequency (DTMF) suppression ensures that sensitive payment data never enters your contact center or reaches your agents, eliminating over 90 percent of those reporting entries from your costly compliance list.
The hidden cost of compliant resolution
By pausing the call recording, call centers are open to both malicious agent activity and attempted scams from customers.
Without a complete audit trail, either side can claim something was promised or certain permissions were given and you may be left having to invest time and money resolving a claim for which you have no evidence either way.
The hidden cost of lost sales
Customers are constantly being told to be vigilant for potential fraud risks when handing over their card details. London’s Metropolitan Police website, for example, advises:
Writing payment card details on a form or giving details over the phone is inherently less secure that using a secure web site due to the human interactions.
Customers are looking for a clear and robust process which protects the privacy of their card details. ‘Pause and resume’, however, is a hidden compliance process that offers no reassurance to the customer and could be costing a fortune in lost conversions.
When you add it up, can you really afford to continue with ‘pause and resume’ payment processing? Or is it time to find a more efficient way to remain compliant and a better way to mitigate risk.
Learn how Cognia can help alleviate PCI compliance burdens
Publish Date: March 30, 2016
Cloud is a strategy decision, not an IT decision
Contact center managers increasingly see cloud as more than an alternative to on-premise infrastructure, but as the preferred choice.
‘When we first started talking about cloud, the discussion was about it being cheaper but I think we’ve matured to a much more subtle view of what cloud means,’ – Art Schoeller, principal analyst at Forrester.
By the end of 2014, 62 percent of companies had already implemented cloud-based contact center solutions, according to a benchmark study by DMG Consulting. Cloud isn’t disruptive anymore. It’s the new normal.
In fact, Steve Morrell, an analyst at ContactBabel concludes that, ‘the trend towards cloud adoption seems unstoppable for a large part of the contact center industry.’
So why do contact centers work so much better with cloud technology?
1 The shift from CAPEX to OPEX
As Opus Research’s report, ‘Beyond the checklist: 10 attributes of cloud contact centers’ rightly points out, ‘The move to the cloud started as a blatant play to save money by cutting capital expenditures on new equipment and software.’
While the benefits of cloud have evolved since then, the point still holds true. The cloud provides an infinitely scalable and flexible resource that can be paid for like any other utility: as you consume it not years in advance.
2 Technology that meets business needs
The near-instant scalability of the cloud means you can respond rapidly to fluctuating customer demand. And since cloud technology isn’t dependent on location, agents can easily work from home or other remote locations– a big potential boost to productivity and business continuity.
As Klaas van der Leest, UK managing director of Intelecom says, ‘the ability to add agents across centralized or distributed locations can make the difference between success and failure when responding to customer demand.’
3 Global deployment, central management
Ensuring business-wide consistency while allowing for regional needs across distributed contact centers can be a big technological headache.
With the cloud, however, you can deploy the same technology to every location and manage local permissions and configurations centrally. Plus, since cloud environments can be spun up so quickly, new contact center deployment is much simpler and faster, no matter the location.
4 Focus on what you do best
When you move to the cloud ‘there is a rise in agility as you can free up some of your people to do more of the important things in the contact center,’ says says Art Schoeller, principal analyst at Forrester.
Contact center managers should be focusing on workflow optimization, productivity, customer service, conversion rates and employee development. Outsourcing the technology needed to achieve those goals to cloud-based providers, do it all in-house and on-premise, gives them the capacity to do just that.
5 Outsource your biggest problems
PCI compliance, security, service uptime and hardware maintenance take a lot of time and resources. Moving to reputable cloud providers hands these problems over to people who can devote significant resources to them.
Efficiencies of scale mean that the best cloud providers can offer much better service level agreements, better security and more advanced technology than most firms can provision in-house on an economic basis.
At Cognia, for example, we’ve built our cloud services on Amazon Web Services, which has more than ten times the computing capacity of the next 14 largest infrastructure vendors combined. Our products also ensure sensitive payment card data never enters your call center, de-scoping over 90 percent of PCI compliance controls while protecting your customer data with multiple levels of encryption and security.
6 Better security
It’s simple: just as cloud providers are experts in technology and can provide the kind of resilience and scalability that would be impossible to achieve on-premise, so it goes with security.
You have the rest of your business to think about; security isn’t your specialty. For reputable cloud vendors, however, it can be their biggest differentiator and selling point.
It would be foolish to suggest that the cloud is a fix-all for all contact centers, and of course, each deployment and vendor should be assessed against business need. More often than not, however, cloud will win out.
Publish Date: August 13, 2015
Cloud technology is not a novelty in contact centres anymore. It’s the new normal. Ten reasons why contact centre managers are embracing the cloud like never before.
Nearly half (48 percent) of the call centre managers surveyed in ContactBabel’s latest Inner Circle Guide to Cloud-Based Contact Centre Solutions were already hosting some functionality in the cloud and the number is growing. They’re using cloud-hosted software like CRM and helpdesk applications, cloud infrastructure for telephony, CTI and IVR as well as cloud payment processing solutions. From our experience at Cognia, we see ten main reasons why cloud technology is taking centre stage:
Flexibility of OPEX over CAPEX. The shift from upfront capital costs to ongoing pay-as-you-go operational costs means that cloud-based solutions offer contact centre managers a way to deploy new technology and scale up or down in a cost-effective way. One of the report findings states; ‘For outsourcers and telemarketers who may have call volumes that vary dramatically depending on campaign levels, solutions with a flexible pay per usage pricing structure are particularly important.’
Cloud technology helps to cut costs. While cloud technology is often cheaper to
acquire and run than competing on-premise systems, greater savings come from flexibility and improved efficiency. As one contributor to the report says: ‘The biggest cost savings come from the flexibility that a cloud solution provides, allowing you to scale your operations to meet your changing needs. From adding seasonal employees, to handling volume spikes, to growing your permanent workforce, a cloud solution makes it easy to add or remove agents based on your business requirements.’
3. Security of the Cloud. The majority of respondents (73 percent) did not rate cloud security risks as a great concern. Indeed, good providers generally have better security than most of their customers. As the report explains ‘serious cloud-based solution providers have invested very heavily in physical and logical security- which many organisations have not done themselves – as it is in the solution providers’ own best interests to do so’.
4. Cloud technology integrates with existing infrastructure. Although everyone appreciates the value of cloud solutions, inserting them into multi-faceted legacy systems environments has always been a barrier to cloud adoption. For this reason, cloud providers have to work hard to integrate with legacy systems and have sophisticated ways to do so. For example, Cognia integrates its DTMF tone masking technology upstream of the call centre so that it protects all calls coming into a client’s phone system and its payment processing software can be integrated into different agent applications, whether it’s a simple iframe on a website or a direct integration into a CRM application.
5. cloud solutions cure compliance headaches. Contact centres face a host of regulations and compliance requirements. For example, if they process payment card information, they must comply with PCI DSS and this imposes a 904-item checklist and, with it, higher operational costs. Cloud solutions can remove the problem by moving whole processes out of the contact centre altogether.
6. The cloud supports flexible working. The flexibility benefits introduced by PAYG cloud services can extend well beyond systems capacity: Cloud technology makes it easier for staff to work from home or different regional offices. They can access VoIP phone systems, connect to cloud CRM apps and take payment securely with payment card processing done upstream in the cloud. As a result, companies can be more flexible in rostering, hire staff in multiple locations, allow people to work at home and so on.
7. Recruitment is easier with the cloud. The flexibility offered by cloud-hosted technology means that recruitment (accounting for 2.7 percent of operating costs) becomes easier because companies can draw on a larger talent pool in more locations. In addition, the ability to work from home or work flexible hours is good for employee morale which in turn improves staff retention.
8 The cloud simplifies scalability. In traditional call centres, adding more users requires additional hardware and software licences. This can be a slow and expensive process. Likewise, changing processes, such as IVR workflows, to respond to evolving business requirements could become a complex process with expensive consultants required to reprogram onsite equipment. With the cloud, adding extra capacity – more lines, new workflows, extra licences or more users, for example – takes minutes. As the report says, ‘Scalability is key’
9 Infinite storage on demand. We’ve all heard it: ‘your call may be recorded’. But where do those recordings go? If they’re stored on premise, they require an ever-expanding stack of hardware and all the security and compliance issues that go with it. Move the storage to the cloud, however, and contact centres get virtually unlimited storage but only pay for what they actually use.
10 Improved performance and reliability. The majority of small and medium-sized businesses can’t afford the levels of duplication, redundancy and IT management required to deliver consistently high levels of performance and availability. On the other hand, global firms like Microsoft, Google and Amazon can invest heavily and offer 99.9 percent availability or higher with service level agreements as a guarantee. In addition, the very nature of cloud services means that, as the report says, ‘they can be accessed from anywhere by anyone with a browser, with little or no client-side software needed – means that problems at the client’s premises can be circumvented by physically moving staff elsewhere.’
With the right approach and the right suppliers, respondents are seeing real benefits from the cloud: 82 percent agree that the overall cost of ownership is cheaper. Perhaps more importantly, in the long run, they report that the cloud is making it easier to make changes, add new functionality and operate more flexibly
Publish Date: July 10, 2015
The risks of payment card fraud and data breaches haunt contact centre managers
No wonder. Last year, 700 million records were exposed in data breaches with an estimated financial loss of £256 million and stolen credit card details sell for up to £13 each on the black market.
There is a clear and present danger to companies that process payment card data in call and contact centres. Despite this, a recent report by ContactBabel highlights a surprising level of complacency and an opportunity to make quick improvements by replacing out-dated ‘pause-and-resume’ recording technology.
Your customer data at risk
The threats are evolving and constant so companies need to review and update their controls regularly to stay ahead of the criminals. In this context, it may not be a viable strategy to rely on measures that are merely ‘good enough’, or controls that worked in the past.
Similarly, in this light, it may not be enough to meet the high standards of PCI DSS compliance if it means doing so at a single point in time while ignoring the need for on-going security. Indeed, PCI DSS version 3.0 already recommends more business-as-usual control measures than previous versions and future standards may raise the bar higher.
One area of particular concern is ‘pause-and-resume’ recording as a way of securely handling customer payment card data. It ‘has had its day,’ says ContactBabel’s Inner Circle Guide to PCI DSS Compliance in the Contact Centre, ‘It is high risk and not efficient for a PCI compliant environment.’
The high price of ‘pause and resume’
Even with expensive clean rooms, pause-and-resume gives virtually no protection against malicious employees, increasing the risk of reputation-damaging data losses. In addition, it increases the risk of accidental exposure of credit card information because it relies so heavily on people following procedures properly all the time. (And how often does that happen in the real world?)
Once toxic data gets into your call centre, it requires expensive exception handling and potentially brings all your systems into scope for PCI compliance. With 904 separate reporting entries in PCI DSS version 3.0, compliance can be very expensive to achieve if any agent is potentially exposed to toxic data.
Despite these dangers and despite the fact that one in five of the 200+ UK contact centres that took part in ContactBabel’s survey are not yet fully PCI compliant, 59 percent of them were still using pause-and-resume voice recording while taking payment card data over the phone. It’s time for a change.
No longer fit for purpose
The report is conclusive: ‘When the first set of PCI DSS regulations came out, pause and resume was seen as a quick and easy fix to handle the problem of keeping sensitive authentication data out of call recordings. As time has passed, regulations have grown more strict and the growing importance of and focus upon wider data security has meant that many organisations are now looking beyond simply keeping call recording compliant.’
Criminals and hackers are not going away and neither is the risk (and opportunity cost) of out-dated approaches to security. Instead, the report recommends that companies: ‘Embrace the power of true cloud offerings that are highly secure and based on market leading Infrastructure-as-a-Service. Outsource the problem while you focus on your customers.’ Here at Cognia, we couldn’t agree more.
Publish Date: May 20, 2015
By taking a proactive approach you can eliminate over 70% (Ponemon Institute) of the potential causes of a data breach in your contact centre
British Airways’ air-miles accounts, the coding site GitHub and the work chat service Slack have all been hit in the latest wave of cyber-attacks.
Complaints about points being stolen from BA’s Executive Club scheme date back at least a fortnight. One user reported a false booking for a hotel room in Spain, while others reported that a list of fraudulent transactions had wiped out their entire credit.
This kind of high profile data breach is regularly making the news and usually involves cyber criminals stealing hundreds of thousands of passwords, customer account details or credit card data.
While it is probably never going to be possible to 100% safeguard your company from attacks, the good news is that you can take simple and cost effective steps to prevent them and shore-up your defences.
What could a data breach cost your company?
According to a recently published IBM/Ponemon report, the average cost of a data breach rose 15% in the last year to nearly £2.5 million. The average cost of each lost or stolen record increased by more than 9% to £98.
Costs are split into two groups; direct and indirect. Direct costs are those involved with managing the breach, investigating its cause and taking corrective action, as well as legal costs and regulatory fines. These only account for about one-third of the total costs.
Indirect costs are harder to quantify and their effects are longer lasting and far reaching. They include increased customer turnover, increased customer acquisition costs as well as loss of reputation and goodwill.
What are the causes of data breaches?
Various sources give different figures, but all agree that there are several major categories. The 2013 Ponemon Institute report “The Post Breach Boom”, gives the following figures (note that each respondent to the survey was able to choose more than one response):
What becomes clear from these figures, and is corroborated by other research, is that the majority of data breaches result from factors that are under a company’s control: its employees, contractors, service providers, processes and systems.
What about the contact centre?
All possible causes of data breach are in play in the contact centre. Now that most contact centres are multi-channel hubs interfacing both with the web and numerous business unit data silos, malicious criminal attack by outside hackers will always be a concern.
But given the nature of contact centre operations – people using systems to process transactions – the biggest threats are all internal. To be more specific, data breaches in the contact centre will nearly always be traced back to some failure in key systems or processes that allow sensitive customer or company data to be exposed to unauthorised staff or third parties.
With so much at stake in terms of your brand’s reputation and goodwill, it is arguable that information security is now one of the most important factors in any customer experience strategy.
What steps should be taken?
Measures will differ and have a different emphasis depending on which payment acceptance channels are dominant. QSA assessment is a key way to validate compliance with the PCI DSS, but this still needs to fall within an overall information security framework that the whole organisation supports.
For example, if taking phone payments is a key channel for your contact centre, arguably removing your systems and people from PCI DSS compliance scope is the best way forward and the most cost effective in the long term. All IT systems and networks accessible by contact centre agents, back-office staff, supervisors, QA staff IT staff and third parties are vulnerable, so remove them from the risk path.
Other approaches such as setting up ‘clean room’ environments or choosing not to take voice card payments at all, offer additional ways to reduce the risk of a data breach, but considerations of practicality, cost and customer experience all need to figure in establishing a strategy that is right for your business.
By taking a proactive approach you can eliminate over 70% (Ponemon Institute) of the potential causes of a data breach in your contact centre. Given the direct and indirect costs of such breaches are so high, allocating budget now to prevent them could save you a fortune in the future.
First published in CallCentre.co.uk
Publish Date: April 10, 2015
Curtis Nash, CEO of Cognia, a provider of cloud-based PCI compliance payment processing solutions, looks at how contact centres can cost-effectively meet the more stringent requirements of PCI DSS 3.0. With the introduction of the Payment Card Industry Data Security Standards (PCI DSS) version 3.0 at the start of the year, it’s a good time to assess how contact centres can comply while keeping both costs and the operational burden to a minimum.
Payment processing options
In order to de-scope as much of the contact centre as possible to reduce the compliance burden while ensuring security, there are several options. I will quickly summarise the pros and cons of the main ones here.
The first thing is having customers speak their card details to an agent, who then types them in to an application on their desktop, is not PCI compliant. Doing it is asking for a world of trouble, and yet according to the 2014 Contact Centre Decision Maker’s Guide over 66% of all contact centres and 74% of outsourcers still take payments manually.
Payment Processing Methods by Vertical
Any solution which can take call centre systems and staff out of the scope of PCI DSS by shielding them from card data, without negatively affecting operations, will reduce the cost and effort of compliance, and the risk of fraud.
However, many IVR payment processing solutions still leave parts of the contact centre infrastructure exposed to customer card data, meaning that compliance measures must be put in place.
In the case of hosted or cloud IVR payment processing services, payment card information can be entirely removed from the contact centre environment. This massively reduces the scope of the contact centre’s PCI assessment and with it the cost and complexity of compliance.
Solution 1: ‘Clean room’ environment and manual processes
This involves isolating staff who handle payments from other staff, and ensuring that they are not allowed pens, paper, mobile phones or any other recording and communications equipment at their desks. Staff need to be heavily trained in PCI compliant processes and constantly monitored. It is estimated that the cost of implementing a ‘clean room’ environment can be as high as £2,000 per agent.
Of course this method still exposes agents and IT / telephony systems to payment card details, so the organisation will be required to meet 100% of the PCI requirements. This is not only intensive to set-up and manage it also requires an exhaustive annual audit.
Solution 2: Pause and resume recording
The requirement that card details not be stored applies equally to call and screen recordings for quality purposes as much as it does to databases. For regulatory, complaint handling and anti-fraud purposes most contact centres routinely record a good percentage of interactions. In this case the agent can manually pause the recording at desktop level while payment details are given, or the system can automatically pause.
This can require complex integration of the call and screen recording software, and may lead to human error and incomplete records of interactions. And because agents and other internal systems are still exposed to card data, 100% of the PCI requirements will still be in play.
Solution 3: IVR payment processing
Rather than trying to integrate call recording with voice payments, like pause and resume, this method aims to separate payments from live agent conversations entirely. When the time comes for the agent to give payment details, the agent transfers the caller to an IVR system. There the customer can give payment details by speaking or typing, using their touchtone phone, and reconnect with the agent afterwards.
The downside is that customers may incorrectly enter details and the agent is not online to encourage and support them through the process leading to a fragmented customer experience. If the payment details still enter the contact centre’s internal systems then this solution does nothing to de-scope those applications, databases and equipment from PCI compliance.
In the case of hosted or cloud IVR payment processing services, payment card information can be entirely removed from the contact centre. This massively reduces the scope of the contact centre’s PCI assessment and with it the cost and complexity of compliance.
Solution 4: DTMF suppression payment processing outsourced to a Level One Service Provider
With this solution certain providers can de-scope over 90% of the contact centre requirements from PCI compliance, in a secure cloud-based environment. To put this into perspective, instead of meeting over 900 requirements the contact centre may only be required to meet just 69 to become fully compliant.
It works by ensuring that payment details never enter the contact centre ecosystem. Like IVR processing the caller is directed to give payment details, however the conversation with the agent is able to continue while they do.
The defining feature of this type of solution is that payment information is entered by the customer using their telephone keypad, and that the resulting tones are suppressed before they reach the call recording system (and the agent), to prevent the storage of card authentication information. Furthermore, the payment details are sent via the outsourced provider’s systems, where they are communicated to your merchant, so no payment card details touch or are stored on internal systems.
With more advanced systems the agent can still track the payment process on their desktop in real-time, but no card data is seen by the agent. It means the agent can support the process of the payment to help the customer and confirm when the payment has gone through.
Publish Date: March 16, 2015
With the average enterprise cost of a data security breach that results in the loss or theft of customer card payment data running at around £4.5 million, PCI DSS is not an issue to ignore.
With the introduction of the Payment Card Industry Data Security Standards (PCI DSS) version 3.0 at the start of the year, it’s a good time to assess how organisations can comply while keeping both costs and the operational burden to a minimum.
A few myths about PCI compliance
Before we dive into looking at the options available to organisations, outsourcers and contact centre operators it is worthwhile exploding a few bad ideas that many people have about what the PCI DSS standards are and how they work:
1. It is the law
Actually PCI compliance is only law in a few US states. Elsewhere they are enforced in the terms of agreement between merchants and acquirers. Penalties for non-compliance can lead to the merchant being fined, held liable for fraud losses that result from data breaches, and having their merchant accounts suspended.
2. Third party suppliers can be fined
While all third parties handling card payment details need to be compliant, in all cases the buck stops with the merchant. For outsourcing services providers this means the client is responsible. However, data security breaches lead to loss of reputation, irrevocably harm client relationships and can result in compensation claims. Estimates suggest that a serious breach involving loss of card data can wipe 12% off a company’s value, which could be catastrophic.
3. Compliance equals security
Being PCI compliant does not mean organisations are invulnerable. Best practices for PCI DSS should always be just a part of their wider information security framework and plan. The PCI Security Standards Council has said that the aims of the updated 3.0 standards are to “help organisations take a proactive approach to protect cardholder data that focuses on security, not compliance, and makes PCI DSS a business-as-usual practice.”
4. We are OK as we have passed the annual audit
This is a grave trap to fall into. Too many businesses take a ‘tick-box’ approach to PCI compliance to pass their annual audit and then sit back with a false sense of security. In its recently published 2014 PCI Compliance Report, Verizon uncovered the slightly shocking statistic that only 11% of organisations are fully compliant with all 12 of PCI’s major requirements, and compliance levels in general drop in-between audits.
PCI Pass Rates by Number of Major Requirements
Verizon found that all companies which had suffered a data breach were less likely to have been compliant at the time, even if they passed their last assessment. Given that losses due to credit card fraud topped $11 billion in 2012, and are rising by 10% a year, it is either a sobering or consoling thought to realise that many of those data thefts were easily preventable.
UNDERSTANDING THE KEY REQUIREMENTS OF PCI DSS 3.0
While Cognia lists the high-level, broad requirements of PCI DSS in its white paper, getting to grips with the PCI DSS is a significant undertaking. The tension for merchants is that it is written for experts by experts and the level of detail and scope of the requirements can be difficult for anyone whose core business is not information security to fully engage with.
The key is either outsource the process of getting to grips with PCI DSS or embrace it wholeheartedly. There is no middle ground. The worst thing merchants can do is work through the relevant Self-Assessment process and put in some ticks that they are reasonably happy might be true without really working through the detail. If you take the PCI DSS version 3 (assuming you remove all the phased introduction requirements) there are 12 requirements, 76 sub-requirements, 406 testing procedures and 904 individual data points merchants have to be able to understand and demonstrate compliance against while managing the day job.
In general, outsourcing to a greater or lesser extent is wise. You can do this through engaging with a Qualified Security Assessing Company (QSA-C) or you can pass the risk to suppliers who do that for you. The latter is likely to prove more cost effective for all but the largest of merchants and service providers but it’s equally important to do the due diligence and test their compliance claims.
Outsourced contact centres
In outsourced environments such as contact centres, the PCI risks as well as the potential fall-out of those risks, are amplified.
In multi-client environments risks are increased as both systems and agents come into contact with multiple client ecosystems and data. Security loopholes could conceivably compromise more than one client, or breaches could spread through the infrastructure like viruses unless a layered defence approach is taken.
If card payments are taken in the contact centre then all IT and communications systems, as well as agents, are in scope for PCI DSS. This can mean complying with 100s of requirements, all of which need mapping and continuously managing.
Every time you make a change to your systems, or open new premises, recertification is required to ensure security. Where agent turnover is high, the cost of retraining, certifying and managing access rights can be high.
The art of de-scoping
Any PCI compliance starts with scoping. Depending on exactly how you process payments, the following elements might need to be covered:
- The internal network and telephony infrastructure,
- CRM, workflow and other agent desktop applications,
- Agents who process payments or access systems,
- Call and screen recording software and the archives of these,
- Other staff with access to systems and recording archives,
- Desktop computers and other recording equipment (staff mobile phones, even pens and paper).
The objective is to assure PCI compliance while disrupting normal business as little as possible, keeping costs down and ensuring that both the agent and customer experience interaction is not negatively impacted, but in fact improved.
Removing agents and internal IT and communications systems from the loop de-scopes them from immediate PCI DSS requirements. This radically reduces the number of processes you need to manage and audit, keeping costs low and allowing your staff to concentrate on their everyday tasks. Utilising a secure, purpose built cloud infrastructure enables you to benefit long term from this approach and provide a more effective foundation for managing customer interactions.
Five tips for 2015
PCI DSS compliance has long been seen by many as a ‘tick the box’ exercise and it hasn’t figured high on the information security stack hot list. But at the recent PCI London conference we sensed a growing awareness of its strategic importance. Perhaps recent data breaches and a growing awareness of their impact across business operations is finally pushing PCI onto the CXO agenda.
So to round of this article, here is a list of what we see as the Top 5 things you can do this year to ensure PCI compliance cost-effectively and without getting in the way of business as usual:
1 De-scope as much as possible and ensure contact centre environments are freed from the risk of non-compliance. A data breach can mean big reputational damage and fines. Look to remove sensitive card data from systems and people environments all together
2 PCI is not just for audit time, it has to be an all year round preoccupation. Look to a sustainable strategy and programme that assures continued compliance – it will save you time and money!
3 Use PCI 3.0 as the opportunity to build the people aspect of compliance into day to day business operations – education and changing behaviour is key – everyone plays a part.
4 Clean out the cupboard. Look at outsourced storage and data cleansing to remove the risk of non-compliant legacy stored data, including call and screen recordings as well as databases
5 Utilise new technology to solve business problems. Pause and resume recording has had its day; it is high risk and not efficient for a PCI compliant environment. Embrace the power of true cloud offerings that are highly secure and based on market leading Infrastructure-as-a-Service. Outsource the problem while you focus on your customers
Sadly for all of us, the criminals and the hackers are not going away, and their methods are getting more sophisticated all the time. De-scoping your processes and systems, and embracing PCI DSS compliance as a core element of your information security strategy ensures that your business, your clients and their customers are as safe as possible.
First published in Professional Outsourcing Magazine
Publish Date: March 6, 2015
The PCI Security Standards Council is poised to announce formally that Secure Sockets Layer (version 3.0) is no longer considered strong encryption standard in PCI DSS 3.1, which is mandated under the requirements [2.3, 3.4, 4.1].
To many people this is a worrying thing to read, because SSL secures the internet..doesn’t it?
Well the short answer is no, and the long answer is still no, but explains that the reason for this conception is that IT Technical, and Security consultants have been using the wrong terminology, as in most cases when we say SSL we mean HTTPS, and even when are talking about SSL, we probably mean TLS anyway.
SSL is a transport encryption mechanism for encrypting the flow of information between two systems, and is based on asymmetric cryptography and relies on x.509 certificates.
The problem is that a number of issues and vulnerabilities have been discovered with the early implementations of SSL, resulting in the last iteration of version 3.0 (introduced in 1996). Whilst this provides enhancements over previous generations, many security professionals have been advocating the move to its successor “Transport Layer Security”.
September 2014 sounded the death knell for SSLv3.0 when the POODLE vulnerability was disclosed sealing the fate of the 18 year old protocol as a safe method of securing internet communications.
Many system administrators had long since moved to TLS, and thus the impact of POODLE was nowhere near as significant as Heartbleed or Shellshock, but was a reminder for security teams to double check that SSL really was disabled once and for all on their servers.
Of course cryptography experts will tell you that the transport protocol is only half of the story. A equally important decision is the selection of the ciphers used with TLS communications.
Ciphers are the arithmetic algorithms used to generate the encrypted material, and a number of other less well known vulnerabilities such as BEAST in 2011. For several years the mitigation for beast was to use the RC4 ciphers, until in mid 2013 this too was found to be weak.
Computer security moves fast, and as the last 24 months have shown, software systems long relied on for privacy and security are starting to be scrutinised more and more, particularly with the realisation that state sponsored actors may also have undisclosed methods to intercept vast swaths of internet traffic.
This is good news for consumers as it only furthers the security of the internet, but for merchants the constant need to stay up to date with the latest protocols and cipher sets is a complication and expense, which may sometimes be overlooked.
By leveraging a platform such as the Cognia Cloud the burden is greatly lessened as our dedicated security and systems teams get their ‘geek on’ ensuring the services are always secured using the industry leading protocols, algorithms and certificates.
If you want to understand about our approach to security, and our ability to respond to threats and vulnerabilities contact email@example.com.
Publish Date: February 23, 2015
I wanted to take some time to look at the journey of a PCI compliance project for a merchant, from the drivers behind it to the completion of the validation process. My hope is that sharing what I feel are best-practice approaches will turn what can be a daunting project into a clear journey with sign-posts and stop-offs along the way.
It’s a multi-part series, which will be published regularly so please be sure to come back and follow our updates (@CogniaDotCom)
I’ve gained a lot of experience in and around contact centers implementing Cognia Live, Cognia’s contact centre DTMF payment service, and so it’s within this environment I will focus on.
The drivers behind a PCI-DSS Compliance Project
Gaining PCI-DSS compliance can be an in-depth and specialised project, which requires considerable planning, orchestration and consensus from within all levels of a merchant or contact center’s management and operational staff. I say can be, as some solutions require a much deeper level of commitment (upfront and ongoing) from the organisation than others, for more information on that, read our blog posts on the different solutions available in the marketplace.
Understanding and defining the ‘why’ is always a critical place to start for any project, so it’s here that we begin.
Just remind me, why are we doing this?
When you begin any project it’s important to agree upon and understand why the project was started in the first place.
These project drivers, in my experience, fall within one of four categories;
- External pressure (acquiring banks or card brands requiring compliance)
- Ongoing responsibilities (new physical locations or infrastructure)
- To improve customer experience
- To offer an expanded suite of features to your sales opportunities (outsourced contact center)
External pressure is a common driver for PCI compliance projects and it can come in two forms; assurance and enforcement. From the merchants point of view, both activities will be performed by your acquiring bank, enforcement will take place after a breach has been identified and assurance is part of day-to-day relationship management between a merchant and their acquiring bank.
Your acquiring bank can apply pressure to address your PCI-DSS responsibilities if they believe you are non-compliant. This pressure can come in the form of higher transaction fees or even the withdrawal of a merchant’s account. A common procedure is for the card brands to propose an escalating schedule of fines to the acquirer, sized depending upon the level of risk.
All organisations who process customer card data should adhere to the current PCI-DSS standards and record that adherence every year, but organisations have varying levels of validation requirements depending upon the number of transactions they have processed over the previous twelve months. Certainly a Visa level one merchant (processing more than six million transactions in the last twelve months), will be required to prove their compliance through on-site QSA led assessment.
Enforcement of the PCI-DSS standards begins with the card brands, They monitor fraud volume and will identify common points of purchase as part of a breach.
Should a merchant be identified as a CPP, the card brands will actually approach the acquiring bank for that merchant and can take any number of the following steps with that bank;
- Apply one-off fines.
- Impose increased fees
- End commercial relationship entirely, inc. a ban from the card brand entirely with any acquiring bank.
- 90 days to achieve compliance from issuing of decision – costs more, business loses all inertia as focus must be on achieving that compliance.
At this point, it is within the right of the acquiring bank to pass these on to the merchant. Increased fees can have a very real impact on a merchant’s business model and their bottom line, but the one-off fines and threat to end relationships can be terminal for a business.
One critical piece of understanding commonly lacking is that upon the identification of a breach, the PFI (PCI Forensic Investigator) report must be submitted to all of the card brands, no matter which one identified the breach and each brand has the right to take the same actions as the others whether a breach occurred on their brands card or not.
The point of these escalating steps is to ensure that merchants understand the risks of non-compliance and work to minimise it through application of the PCI-DSS standards.
Internal drivers, such as opening new physical locations for your business or changing infrastructure will require re-assessment of your PCI-DSS compliance. All locations that operate under the same tax ID or DBA (“Doing Business As”) and are not adequately segmented are considered in-scope and must be included in your annual compliance assessment.
Obviously, all new or replacement IT equipment has to be audited, but beware of stealth increases in your scope. For instance, when changing the VLAN segmentation of your network infrastructure; you may bring more of your equipment into scope for the purposes of your compliance audit and the same can apply to any hosting partners.
Believe it or not, aligning yourself with PCI-DSS standards can improve your customer experience. If your customers feel confident when transacting with your organisation they will be more likely to recommend and repeat.
We all live with a continual stream of news around customer data breaches, making the act of calling in to a contact center and being asked to read out your credit card number to a stranger an unnerving one. Any way you as a merchant can appear to distance yourself from a customer’s data will improve their perception of how you as a brand respect their information privacy.
Contact centers manage this through the use of automated payment IVRs and other innovative solutions such as having customers use their telephone keypad to enter card data. It puts the customer at ease and removes a large burden from the agent and contact center overall.
Improving your product suite
This one really applies to outsourced contact centers who wish to offer their existing and potential customers the option of accepting payments in a compliant way. Many brands enjoy the flexibility of using outsourced contact centers for their telephone operations, but many are unprepared for the overhead of accepting payments. Therefore, being able to offer PCI-DSS compliant services really sets you apart in the market and empowers your sales teams to go after whole new areas of business.
In my experience, it’s always an effective tactic in a project of this scope to add the goal of applying best-practice to your organisation, along with the other main project drivers. As PCI-DSS standards are followed by many organisations all around the world, it’s actually a very powerful tool, and as such can be used to bring order and predictability to your systems and processes. Approaching the project from this perspective helps teams see the benefit and less the burden of compliance and helps you focus on opportunities rather than costs.
As you can see, the reasoning for starting this journey is varied; from regulatory pressure to sales opportunity. Whatever the driver is in your situation, completing your PCI-DSS assessment should be viewed as an important and key step to building a solid and reliable foundation for the future growth of your business.
Publish Date: February 9, 2015
PCI compliance has long been seen by many as a ‘tick in the box’ exercise, that hasn’t figured high on the information security stack hot list. But that does now seem to be changing. At the PCI London conference, a growing awareness of the strategic importance of PCI is becoming more and more prevalent. Recent data breaches and a growing awareness of impact across business operations, from marketing, finance to customer experience is finally pushing PCI onto the CXO agenda.
The not so good news as highlighted by Verizon’s recent green paper, is that the majority of organizations that achieve PCI compliance fall out of PCI-DSS after just one year. The key to success of PCI-DSS is now firmly focused on developing a strategy that assures sustainability year on year and that PCI-DSS becomes part of the every day behavior of an organization, from the way secure payment card data gets handled in trading environments to the awareness of employees in making all efforts to securely manage their role in protecting their organizations data.
So it can be argued that as a top 5 for 2015. The following represents the key pieces of the PCI puzzle that need to be incorporated into any PCI programme and information security strategy this year:
1. This is the year to assure contact centre environments are freed from the risk of PCI-DSS. Don’t risk a data breach, reputational damage or fines. Look to remove sensitive card data from systems and people environments all together
2. PCI is not just for the year it’s for all time. Look to a sustainable strategy and programme that assures continued compliance – it will save you tme and money!
3. Use PCI 3.0 as the opportunity to build the people aspect of compliance into day to day business operations – education and changing behavior is key – everyone plays a part
4. Clean out the cupboard. Look at outsourced storage and data cleansing to remove the risk of non-compliant legacy stored data
5. Utilise new technology to solve business problems. Things like pause and resume recording has had its day, it’s high risk and not efficient for a PCI compliant environment. Embrace the power of the cloud. Outsource the problem while you focus on your customers.
Payment card data security risk is here to stay, but so is PCI. Embrace it and build a better business as a result this year.
Publish Date: January 27, 2015
The news of a PCI breach is just the start of a host of issues – all of which can be crippling to a business.
Many CIOs and compliance officers may complain about the burden that the Payments Card Council imposes on them, but the rules exist for good reason.
Like most issues involving compliance, card data rules are more effective as a preventative measure. Once a breach has occurred the problems really start multiplying.
The most recent Ponemon Fall Out report found that 45 per cent of data breaches involved the loss of card payment data. These digital details are so intrinsic to modern life that they have lasting repercussions for all involved. Here are five ways your costs will soar if you do not keep your PCI compliance maintained and you become a victim of a hack.
Frantic checking of the existing system
Stemming a leak can be expensive and we’re not just talking about calling a plumber. The Ponemon research showed insiders and third parties are most often the cause of the data breach, but 44 per cent of the respondents said they were unable to determine the root cause of a breach. On a positive note, companies believe that human risk factors are easier to control than outside influences.
What is clear is that a breach will stop you in your tracks. Fifty per cent of respondents said the most negative consequence of a breach was the loss of productivity, as key employees are diverted from their usual roles to help a company resolve the incident.
Making changes to the system
When something goes wrong, the upheaval can be immense.
Following a breach, senior leaders at the organisations involved believe they are at their most vulnerable. Eventually lessons will be learned that may improve privacy and data protection practices, but why get bit before you stop tempting the dog?
The emphasis in the new PCI DSS 3.0 requirements is on descoping. PCI compliant cloud solutions may now become the first choice, as more and more organisations look for the most effective solution straight away, rather than waiting until something goes wrong.
Changes are not just made at an IT level. In the aftermath of a data breach, employees become more careful around data and 61 per cent believe they are more aware of the consequences of failing to protect sensitive and confidential information. In order for this to be the case, training and awareness is required.
This may be less tangible than other costs following a data breach, but it can be the most significant long-term consequence. A recent Experian-sponsored study of 850 executives found data breaches can be responsible for losses of between $184 million and over $330 million in the value of a brand.
The research came to the conclusion that breached brands lose on average 12 per cent of their value. This is not surprising as PCI compliance is concerned with keeping consumers’ personal details out of the hands of criminals, so if your company lets them down, it is only natural they will distrust you in the future. Of the 843 senior-level professionals questioned for the survey, 73 believe their brand image and reputation are “inextricably linked” and less than half of the respondents said their organisation’s brand image and reputation could ride out a data breach.
“A solid reputation is a company’s greatest asset and it is therefore imperative that business leaders take precautionary steps to protect themselves, their customers, their employees and their intellectual property against data breaches,” said Ozzie Fonseca, director at Experian Data Breach Resolution.
PCI fines and increased charges
Lastly, there are the card companies’ own sanctions to consider. For companies that rely on card payments such as contact centers, these can be crippling and include:
– A fine of $500,000 per data security incident
– Ongoing daily fines of up to $50,000 for non-compliance with published standards
– Liability for all fraud losses resulting from compromised account numbers
– Further liability for the cost of reissuing cards associated with the compromise
– Suspension of the company’s merchant accounts
Publish Date: November 14, 2014
A new report by analyst firm Ovum[i] reveals that nearly three years after financial institutions were ordered to start recording and storing mobile calls, only around a third of those affected have managed to comply. Larger banks and those with operations in a number of jurisdictions appear to be struggling the most.
The new rules were introduced in 2011 by the UK’s Financial Services Authority – now the Financial Conduct Authority – in response to the growing use of mobile devices in financial transactions.
The delay in achieving compliance is particularly worrying now that the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) has also come into force. Any financial institution that trades in or with the US is required to record all voice communications that lead to the execution of a commodity interest transaction. Non-compliance is no longer an option.
The Ovum paper reports that institutions have reported mixed results with existing technology. While app-based solutions, for example, have the benefit of being a quick-fix, network-agnostic option that can be managed easily by the IT department – they also introduce connection delays and in-call latency, reduce phone functionality and cannot work across different operating systems. Basically, the user experience is dismal. In addition, they are vulnerable to employee workarounds: you simply uninstall the app.
An alternative and increasingly popular approach is to use a network based system that automatically triggers recording by the network. There is no need for internal management and no call delays.
However, until very recently there were two disadvantages to network-based call recordings. The first was a lack of international roaming capability, particularly across CAMEL and non-CAMEL networks (such as in China). The second was that the service was only offered by mobile virtual network operator that piggybacked an MNO’s network. Both significantly inconvenienced customers because they had to agree and then manage multiple supplier arrangements.
The situation is further complicated by the rise of BYOD – bring your own device, leading to an ever growing range of devices and operating systems being used for interactions.
What the market needed, according to Ovum, was an in-network mobile call recording solution delivered by a mobile network operator. In May it published a follow up paper that confirmed such a solution now exists. Ovum[ii] calls it a potential game changer.
Launched by Vodafone Global Enterprises, with Cognia’s cloud-based Communications Intelligence technology at its heart, the solution delivers a service that is truly international, supports both CAMEL and (imminently) non-CAMEL networks, is device independent, has a seamless user experience, is tamper-proof, secure, flexible and scalable and can store data either on premise or in the cloud, or both. Data that is then available for search and analysis, not just for compliance and risk management, but for customer service, productivity, business intelligence and growth.
Cognia is proud to be a part of this revolution. If you want to find out more about how this service could transform your mobile call recording and help you to achieve compliance easily and cost-effectively, please get in touch.
[i] Mobile Call Recording in the Financial Markets: Assessing the Impact and Opportunities Created by Changing International Regulation. Ovum, April 2014
[ii] Vodafone In-Network Mobile Recording – an MNO service that doesn’t require a SIM change, Ovum, 29 May 2014
Publish Date: October 6, 2014