Protecting payment card data is essential in all environments, including when card data is taken over the telephone. Areas of organizations that interact with sensitive data in a telephone-based environment are particularly susceptible to fraud or theft of cardholder data. As such, protecting telephone-based payment card data is essential for all businesses that conduct transactions over the phone.
Businesses and organizations that process payment card data over the phone must maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS outlines protections for end-to-end security for cardholder data, and telephone-based payment card data is no exception. However, telephone-based environments have unique vulnerabilities that lead to challenges with achieving and maintaining compliance with PCI DSS. Understanding the risks posed in call center environments can help inform a decision to overhaul your PCI security standards implementation to enhance your security for telephone-based payment card data.
Telephone-Based Payment Card Data and PCI DSS
Many organizations that handle telephone-based payment card data may believe they are already compliant with PCI-DSS requirements. This belief usually stems from a mistaken understanding that PCI-DSS requirements pertain to securing how payment card data is secured when it is accepted and transmitted, whether through a terminal or in an online environment. While this is a core thrust of the PCI-DSS requirements, it only encompasses a portion of interactions where cardholder data is handled. In addition to terminal and online transactions, businesses must ensure that telephone-based interactions with payment card data are secured.
Telephone-based interactions with cardholder data are also covered by PCI-DSS. These type of interactions are known as card not present (CNP) interactions. CNP transactions have garnered increased attention from cybercriminals as physical and non-physical protections implemented to protect cardholder data over the last decade have made the vulnerabilities of CNP transactions to fraud particularly attractive.
In summary, telephone-based interactions with payment card data are considered in-scope for PCI DSS requirements. This presents unique challenges for businesses and organizations that handle transactions over telephone due to a variety of factors unique to the direct interaction between a call-center employee and a customer. Because of the attractiveness of CNP transactions for cybercriminals, securing telephone-based payment card data according to PCI DSS standards is essential to avoid loss of sensitive data.
Unique Challenges for Call-Center Environments
Call center environments pose unique challenges for securing sensitive cardholder data. Due to the nature of interactions in a call-center environment, cardholder data bypasses many of the safeguards implemented to secure the storage and transmission of cardholder data across an organization’s remaining network. Put another way, many of the ways that PCI DSS requirements ensure cardholder data remains secure can’t be easily applied or implemented to telephone-based transactions.
There are a variety of intersecting forces that influence the security of cardholder data in a call center environment. Foremost among these is the fact that call center staff will be directly handling cardholder data. This direct interaction presents an opportunity for fraud that isn’t present when instances of human interaction with sensitive cardholder data are avoided. Additionally, call center staff may not have the security literacy to avoid behaviors that may result in a breach. These factors are combined with the reality that many call centers experience a high turnover rate in staffing, presenting an ongoing area of security risk that must be addressed in order to attain or maintain PCI-DSS compliance.
While call center staff pose an ongoing risk to cardholder data, there are other factors that make call centers particularly difficult to secure. Consider that telephone-based transactions are occurring in a customer-service context. Call center staff generally operate under an organizational desire to provide superior customer service. Because of this, many call centers record the conversations between customers and staff. While recording conversations makes sense in order to provide consistent customer service, it presents further challenges when complying with PCI DSS requirements. In addition to ensuring that cardholder data is secured during and after the transaction, organizations that retain telephone-based call history must ensure that those recordings are adequately secured in line with PCI DSS standards.
It should be noted that local or regional laws or regulatory bodies may require organizations to make and retain recordings of call-center interactions. Where these types of regulations apply, PCI DSS requirements do not supersede legal requirements to make or retain recordings of calls. This presents unique challenges for securing call-center environments due to the fact that complete cardholder data, including sensitive cardholder information, may be recorded in the course of a customer service interaction. If cardholder data is not obfuscated, or if the recording is not properly secured, a serious risk of a data breach can exist.
How to Protect Payment Card Data in Telephone-Based Environments
The unique challenges presented by handling payment card data over the phone can make it difficult to comply with both PCI DSS requirements any organizational goals or regulatory requirements. First, it is important from the outset to understand that PCI DSS requirements do not supersede any legal or regulatory requirement to retain call records. However, organizations will still need to implement security best practices to ensure that sensitive cardholder data is protected. Doing this sometimes requires navigating a fine line between fulfilling PCI DSS requirements and still meeting organizational objectives or legal obligations. Also, note that we are referring to recommendations to secure payments processed over telephones. This is distinct from mobile transactions and payment processing, which have their own PCI DSS guidelines that can be found here.
In this section, we’ll break down some ways that organizations accepting cardholder data over the phone can implement to ensure that they both secure cardholder data and meet other requirements. These suggestions are outlined in a supplemental informational paper released by the PCI Security Standards Council (PCI SSC), found here. This information supplement was released in 2011 but is still applicable to the current PCI standards. However, keep in mind that the PCI SSC will be issuing a revised and updated list of recommendations in the near future that may offer different guidance. As such, it is important to keep abreast of any updates released by PCI DSS to ensure that your organization is implementing up-to-date security recommendations for telephone-based transactions.
Organizations that accept cardholder data over the telephone should carefully track when, how, and where sensitive cardholder data is retained. Per PCI DSS requirement 3.2, organizations may not retain sensitive cardholder data. This includes full magnetic stripe data, the card validation code (CAV2/CVC2/CVV2/CID), or PIN information. To navigate this, organizations must ensure that cardholder data is only retained when absolutely necessary and must implement a disposal procedure for all sensitive cardholder data. Sensitive cardholder data should also never be stored in a video or audio recording files, such as a WAV or MP3. Where cardholder data is stored in a recording, the length of time that recording is stored should be minimized to the extent possible given regulatory or legal requirements.
Primary Account Number (PAN) Masking
Organizations must ensure that PAN information is obscured except where it is absolutely necessary to have access to the whole account number. In order to accomplish this, the PCI SSC recommends segmenting call-center operations so that the number of people who have access to PAN information is limited. Where PAN information is visible, it should only be partially visible (such as the last four or six digits of the account number). Organizations should consider implementing a software solution that obscures PAN information as it is entered or implement a solution where cardholder data isn’t entered with an agent at all. This last solution is considered “un-scoping”, or removing the call center agent from the scope of PCI DSS requirements. Additionally, PCI DSS also requires that when PAN information is stored, it must be securely stored using strong encryption, or rendered unreadable.
Keeping in line with PCI DSS requirement 4, organizations must ensure that telephone-based payment card data transmitted across public networks is encrypted. This is especially important for call center environments where customer service agents work from home or remotely. In these situations, organizations should ensure that staff working remotely connects to their system through an encrypted Virtual Private Network (VPN) connection. Call center staff should never transmit cardholder data across messaging apps or programs that are unencrypted, and should use analog telephone lines with VoIP connections aren’t considered secure enough.
Access controls are especially important in call center environments, particularly when dealing with recordings that contain sensitive cardholder data. The PCI SSC recommends that access to recordings that hold cardholder data should be limited based on specific login requirements, giving only certain users access to recordings that contain full cardholder data. Additionally, the PCI SSC recommends that call centers segment operations to ensure that only a limited number of agents interact with sensitive cardholder data at all. Lastly, staff working from home should utilize a strong two-factor authentication process for connecting to the organization’s network to ensure that security is maintained with remote employees.
Implement a Security Policy
Organizations that accept cardholder data over telephone-based systems must ensure that they implement a strong security policy that aligns with PCI DSS requirements. There are a variety of measures that the PCI SSC recommends for organizations that operate call centers. These include clearly outlining the security responsibilities of all employees so that they are aware of the security requirements for their position, and implementing a daily operational security policy that ensures PCI DSS requirements are met. Employees should be screened prior to hire as a security best practice. Employees working remotely should also be monitored and access control measures should be implemented that block the ability to move files containing sensitive cardholder data to a local storage solution. Additionally, organizations should implement a comprehensive security policy that includes training so that call center staff are aware of their responsibilities. This training should be ongoing so as to encourage a culture of security awareness.
Call Center Recordings
Aside from staff, recordings of call center interactions represent a significant area of risk. As such, organizations that retain such recordings should take steps to ensure that they are secured. Most importantly, cardholder authentication data should never be retained on a recording. Both the tool or program used to record the call, as well as the recording itself, should have limited access. Any access to a recording containing cardholder information should be logged, and an inventory management system for call center recordings should be implemented. Organizations should also design and implement a security policy that ensures recordings are kept only as long as necessary to meet organizational or legal obligations, at which point a destruction procedure should be clearly outlined and implemented. Auditing mechanisms for this entire process should also be implemented to ensure it is being carried out correctly. Lastly, any storage or backup solution for telephone-based payment card interaction recordings should be secured.
Accepting payment card data over telephone-based systems presents unique challenges for organizations seeking to maintain PCI DSS compliance. Many of the security implementations that have made face-to-face or online purchases more secure are bypassed in a call center environment. This forces organizations to take additional steps to ensure that cardholder data remains secure when it is taken over the phone.
In order to ensure that cardholder data remains secure in a call center environment, organizations must review the people, systems, and processes in this environment to identify any gaps in security and address them before a breach. This includes implementing background checks on new hires, developing a comprehensive information security policy with a call center environment in mind, and developing and enforcing strong access control measures. Organizations should consider limiting the amount of cardholder data that is retained and limiting the length of retention for recordings to the minimum level possible given organizational objectives and legal or regulatory requirements.
Given the challenges presented by call center operations for maintaining security, some organizations choose to remove their call center operations from the scope of PCI DSS requirements. This process in itself can be challenging and complex. Due to the difficulty in implementing PCI DSS requirements in call center environments, it is recommended to work with a Qualified Security Assessor to ensure that all individuals, assets, and systems that are in-scope for PCI DSS are compliant. If you have questions about cybersecurity solutions or whether your telephone-based payment card data is secured, contact RSI Security today.