PCI DSS compliance without the hassle and risk - Cognia - ContactCenterWorld.com Blog
With the average enterprise cost of a data security breach that results in the loss or theft of customer card payment data running at around £4.5 million, PCI DSS is not an issue to ignore.
With the introduction of the Payment Card Industry Data Security Standards (PCI DSS) version 3.0 at the start of the year, it’s a good time to assess how organisations can comply while keeping both costs and the operational burden to a minimum.
A few myths about PCI compliance
Before we dive into looking at the options available to organisations, outsourcers and contact centre operators it is worthwhile exploding a few bad ideas that many people have about what the PCI DSS standards are and how they work:
1. It is the law
Actually PCI compliance is only law in a few US states. Elsewhere they are enforced in the terms of agreement between merchants and acquirers. Penalties for non-compliance can lead to the merchant being fined, held liable for fraud losses that result from data breaches, and having their merchant accounts suspended.
2. Third party suppliers can be fined
While all third parties handling card payment details need to be compliant, in all cases the buck stops with the merchant. For outsourcing services providers this means the client is responsible. However, data security breaches lead to loss of reputation, irrevocably harm client relationships and can result in compensation claims. Estimates suggest that a serious breach involving loss of card data can wipe 12% off a company’s value, which could be catastrophic.
3. Compliance equals security
Being PCI compliant does not mean organisations are invulnerable. Best practices for PCI DSS should always be just a part of their wider information security framework and plan. The PCI Security Standards Council has said that the aims of the updated 3.0 standards are to “help organisations take a proactive approach to protect cardholder data that focuses on security, not compliance, and makes PCI DSS a business-as-usual practice.”
4. We are OK as we have passed the annual audit
This is a grave trap to fall into. Too many businesses take a ‘tick-box’ approach to PCI compliance to pass their annual audit and then sit back with a false sense of security. In its recently published 2014 PCI Compliance Report, Verizon uncovered the slightly shocking statistic that only 11% of organisations are fully compliant with all 12 of PCI’s major requirements, and compliance levels in general drop in-between audits.
PCI Pass Rates by Number of Major Requirements
Verizon found that all companies which had suffered a data breach were less likely to have been compliant at the time, even if they passed their last assessment. Given that losses due to credit card fraud topped $11 billion in 2012, and are rising by 10% a year, it is either a sobering or consoling thought to realise that many of those data thefts were easily preventable.
UNDERSTANDING THE KEY REQUIREMENTS OF PCI DSS 3.0
While Cognia lists the high-level, broad requirements of PCI DSS in its white paper, getting to grips with the PCI DSS is a significant undertaking. The tension for merchants is that it is written for experts by experts and the level of detail and scope of the requirements can be difficult for anyone whose core business is not information security to fully engage with.
The key is either outsource the process of getting to grips with PCI DSS or embrace it wholeheartedly. There is no middle ground. The worst thing merchants can do is work through the relevant Self-Assessment process and put in some ticks that they are reasonably happy might be true without really working through the detail. If you take the PCI DSS version 3 (assuming you remove all the phased introduction requirements) there are 12 requirements, 76 sub-requirements, 406 testing procedures and 904 individual data points merchants have to be able to understand and demonstrate compliance against while managing the day job.
In general, outsourcing to a greater or lesser extent is wise. You can do this through engaging with a Qualified Security Assessing Company (QSA-C) or you can pass the risk to suppliers who do that for you. The latter is likely to prove more cost effective for all but the largest of merchants and service providers but it’s equally important to do the due diligence and test their compliance claims.
Outsourced contact centres
In outsourced environments such as contact centres, the PCI risks as well as the potential fall-out of those risks, are amplified.
In multi-client environments risks are increased as both systems and agents come into contact with multiple client ecosystems and data. Security loopholes could conceivably compromise more than one client, or breaches could spread through the infrastructure like viruses unless a layered defence approach is taken.
If card payments are taken in the contact centre then all IT and communications systems, as well as agents, are in scope for PCI DSS. This can mean complying with 100s of requirements, all of which need mapping and continuously managing.
Every time you make a change to your systems, or open new premises, recertification is required to ensure security. Where agent turnover is high, the cost of retraining, certifying and managing access rights can be high.
The art of de-scoping
Any PCI compliance starts with scoping. Depending on exactly how you process payments, the following elements might need to be covered:
- The internal network and telephony infrastructure,
- CRM, workflow and other agent desktop applications,
- Agents who process payments or access systems,
- Call and screen recording software and the archives of these,
- Other staff with access to systems and recording archives,
- Desktop computers and other recording equipment (staff mobile phones, even pens and paper).
The objective is to assure PCI compliance while disrupting normal business as little as possible, keeping costs down and ensuring that both the agent and customer experience interaction is not negatively impacted, but in fact improved.
Removing agents and internal IT and communications systems from the loop de-scopes them from immediate PCI DSS requirements. This radically reduces the number of processes you need to manage and audit, keeping costs low and allowing your staff to concentrate on their everyday tasks. Utilising a secure, purpose built cloud infrastructure enables you to benefit long term from this approach and provide a more effective foundation for managing customer interactions.
Five tips for 2015
PCI DSS compliance has long been seen by many as a ‘tick the box’ exercise and it hasn’t figured high on the information security stack hot list. But at the recent PCI London conference we sensed a growing awareness of its strategic importance. Perhaps recent data breaches and a growing awareness of their impact across business operations is finally pushing PCI onto the CXO agenda.
So to round of this article, here is a list of what we see as the Top 5 things you can do this year to ensure PCI compliance cost-effectively and without getting in the way of business as usual:
1 De-scope as much as possible and ensure contact centre environments are freed from the risk of non-compliance. A data breach can mean big reputational damage and fines. Look to remove sensitive card data from systems and people environments all together
2 PCI is not just for audit time, it has to be an all year round preoccupation. Look to a sustainable strategy and programme that assures continued compliance – it will save you time and money!
3 Use PCI 3.0 as the opportunity to build the people aspect of compliance into day to day business operations – education and changing behaviour is key – everyone plays a part.
4 Clean out the cupboard. Look at outsourced storage and data cleansing to remove the risk of non-compliant legacy stored data, including call and screen recordings as well as databases
5 Utilise new technology to solve business problems. Pause and resume recording has had its day; it is high risk and not efficient for a PCI compliant environment. Embrace the power of true cloud offerings that are highly secure and based on market leading Infrastructure-as-a-Service. Outsource the problem while you focus on your customers
Sadly for all of us, the criminals and the hackers are not going away, and their methods are getting more sophisticated all the time. De-scoping your processes and systems, and embracing PCI DSS compliance as a core element of your information security strategy ensures that your business, your clients and their customers are as safe as possible.
First published in Professional Outsourcing Magazine
Publish Date: March 6, 2015 5:00 AM
|All Suppliers||Get Listed|
(VIEW OUR PAGE)
Аутсорсинговый контакт-центр ConceptCall| КонцептКолл специализируется на исходящем и входящем телемаркетинге: мы предоставляем услуги по осуществлению холодных звонков и продажи по телефону, проводим...
(VIEW OUR PAGE)
CTI Software is the creator of custom application called Davos, which complements the telephone client solutions with intelligent features such as automated call attendant, call recording and archivin...
|PREMIUMFuture Gen International Pte Ltd|
(VIEW OUR PAGE)
Outsourcing provider of English Call Centre services, Audio Transcriptions, Big Data ETL (Extract, Transform, Load) , Big Data Visualization, Big Data Predictive Model Generation
View more from Cognia
Recent Blog Posts:
|The hidden costs of pause and resume payment processing||March 30, 2016 5:00 AM|
|Cloud vs Onsite – 6 ways cloud beats on-premise infrastructure for contact center operations||August 13, 2015 5:00 AM|
|10 Reasons why contact centres are embracing the cloud||July 10, 2015 5:00 AM|
|The risks of payment card fraud and data breaches haunt contact centre managers||May 20, 2015 5:00 AM|
|Counting the costs of a contact centre data breach (and how to minimise your risks)||April 10, 2015 5:00 AM|
|How can you cope with new PCI DSS 3.0 requirements?||March 16, 2015 5:00 AM|
|PCI DSS compliance without the hassle and risk||March 6, 2015 5:00 AM|
|SSL is dead. Long Live SSL||February 23, 2015 5:00 AM|
|The journey of a PCI-DSS compliance project – Part One||February 9, 2015 5:00 AM|
|Breach, Brand and 5 things we know about PCI for 2015||January 27, 2015 5:00 AM|