publication

Original Publication: Customer Management Insight - May 2008
View Online


 

The amount of sensitive customer credit card information that is recorded in the contact center requires special safeguarding strategies and technologies to avoid penalties for PCI noncompliance.

Data security has long been a serious concern for enterprises across all verticals, particularly for the financial services, healthcare and insurance industries. It is also a matter of great importance to contact centers, which handle credit card data and other personal customer information. Recent, highly publicized data security breaches involving the handling of stored credit card information have propelled this issue to even higher levels of importance for enterprises and the technology vendors that support them. Retailers, which have traditionally underinvested in technology, face serious fines from credit card companies and their merchant banks if they are not in compliance with the new Payment Card Industry (PCI) Security Standards. Eventually, noncompliance with PCI standards may result in not being able to accept credit cards.

Customer calls recorded to meet compliance and regulatory requirements for sales verification, dispute resolution or for quality assurance and training often include a great deal of sensitive customer credit card information. Most call centers have implemented procedures to prevent security breaches, such as not allowing agents to bring any personal items in or out, but other vulnerabilities remain.

PCI standards have been around for a few years but became a requirement for many contact centers in 2007. As a result, PCI received little attention until this year, when the QA/Recording vendors realized they needed to make changes to their applications to comply with PCI requirements. The major challenge with PCI is that the interpretation of the requirement is left up to each enterprise or auditor, and therefore, no standard ap­proach has been developed.

What Are PCI Data Security Standards?

All of the payment card associations recognize the need to safeguard customer information by ensuring that members, merchants and service providers meet minimum levels of data security. Before PCI security standards became a requirement, each association established, maintained and en­forced its own policies. In De­cember 2004, American Ex­press, Discover Financial Services, Mas­ter­Card Worldwide and Visa International joined forces to align their separate policies and develop a unified set of security standards. In January 2005, the alliance re­leased the first version of the Payment Card Industry Data Security Standard (PCI DSS). The revised standard, PCI DSS 1.1, became effective Septem­ber 7, 2006.

PCI DSS 1.1 is a worldwide data security requirement that applies to all members, merchants, service providers and organizations that store, transmit or process cardholder data. As of January 1, 2007, all new PCI certifications and newly initiated recertifications must comply with PCI DSS version 1.1. The standard provides 12 general data security requirements:

Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data
3. Protect stored data.
4. Encrypt transmission of cardholder data and sensitive information across public networks.

Maintain a Vulnerability Management Program
5. Use and regularly update antivirus software.
6. Develop and maintain secure systems and applications.

Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know.
8. Assign a unique ID to each person with computer ac­cess.
9. Restrict physical access to cardholder data.

Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.

Maintain an Information Security Policy
12. Maintain a policy that addresses information security.

Information in the table (below), taken from the PCI DSS 1.1, provides a partial list of cardholder and sensitive authentication data, along with storage and protection requirements.

Full details about PCI requirements, as well as a copy of the PCI DSS 1.1, can be obtained at the PCI Security Standards Council’s Web site, www.pcisecuritystandards.org.

PCI Compliance

It’s important to point out that, while the PCI Security Standards Council manages the standards, it is the individual card brands that enforce compliance and issue penalties for noncompliance. Due to differences in level definitions, risk levels and the local payments architecture, each card brand — and potentially each region — may have a different validation deadline.

While the best answer to the question of compliance deadlines is to check with your acquirer and card brand, the following general deadlines apply for U.S. merchants:

September 30, 2007 — The date by which all level 1 merchants (those processing six million or more transactions annually) were expected to be fully PCI DSS compliant.

December 31, 2007 — The date by which all level 2 merchants (1,000,000-5,999,999 transactions annually) were expected to be fully PCI DSS compliant.

To some extent, compliance with PCI DSS is interpretive — organizations’ definitions of “business need-to-know” may differ. Each business is responsible for ensuring that it is in compliance with the current PCI standard, federal and state regulations, and internal/external auditing requirements for data security.

Vendors Respond to Market Need 

Many of the Quality Manage­ment/Liability Recording suite providers, also known as Work­force Optimization vendors, have introduced product enhancements to the recording, security, encryption and auditing capabilities of their suites to enable customers to comply with PCI standards. Some vendors are investing in enhanced encryption functionality. Others are investing in tagging to notify the application when it should stop recording. Some vendors are using speech analytics to prevent recording and/or to mask sensitive customer data. The list of vendors that have addressed or are working on enhancements to support PCI standard compliance includes
(but is not limited to): Autonomy etalk, CallCopy, NICE, OnviSource, TeleDirect, Verint and VPI.

Don’t Delay

Organizations that do not meet PCI data security requirements run the risk of financial or operational consequences and/or the possibility of class action suits, as well as a public relations debacle. Contact center managers should work with their compliance officers, internal and external auditors, merchant banks, IT groups and Quality Manage­ment/Recording vendors to ensure compliance with these important standards.

 

Partial List of PCI Requirements

 

Donna Fluss is the Founder and President of DMG Consulting LLC. donna.fluss@dmgconsult.com 

 

Download Article

TAGS: Data Security, Caller Privacy Issues, Securing Customer Data

Call Center Insider
Your Weekly Source for Call Center News and Best Practices