An Introduction to… PCI Compliance

Our panel of experts explain everything you need to know about PCI compliance, from costing to day-to-day maintenance.

What is PCI compliance?

If you take credit card payments, you need to be PCI compliant.

Being PCI compliant refers to making sure that all details (credit card numbers, and 3-digit CSV numbers) are handled in a secure environment.

All organisations are required to be compliant with the Payment Card Industry Data Security Standard (PCI DSS) – renewing their certification every year. This includes those whose credit card processing is handled entirely by a third party.

Background

PCI DSS is, in its simplest form, a set of requirements designed to ensure all companies that process, store or transmit payment card information, whether they are credit, debit or prepaid cards, do so in a secure environment.

The standard was created to increase controls around cardholder data to reduce fraud. The standard was created in 2004 and over the last eleven years, revisions have been released to clarify the requirements and position to the latest version, 3.1, which was released in April 2015.

It was set up by some of the major payment card brands and currently covers all payment cards from American Express, Discover, JCB, MasterCard, and Visa International.

It is administered by the Payment Card Industry Security Standards Council.

The main PCI DSS Requirements:

• Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect stored cardholder data
• Encrypt transmission of cardholder data across open public networks
• Use and regularly update anti-virus software or programs
• Develop and maintain secure systems and applications
• Restrict access to cardholder data by business need to know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
• Maintain a policy that addresses information security for all personnel

Please note that this is a simplified list – however, the full requirements are extensive.

There are many reasons why PCI compliance is important. Not only does it create confidence for customers that their payment card data is safe, it also gives reassurance to partners and shareholders, and ensures that staff are protected from any potentially sensitive customer information.

Contact centres, like any other organisations that store, process and transmit cardholder data, must meet PCI compliance regulations. Certain portions of sensitive cardholder information (such as PIN numbers or full magnetic stripe data) cannot be stored, even in the most secure fashion.

PCI is not a government law. But, if an organisation wants to process credit cards as a convenience to their customers, failure to abide by PCI and the brand’s regulations can directly impact the organisation’s ability to do so – and adversely impact their business as a result.

How do I become PCI compliant?

A good initial step is to engage with your bank and understand their expectations. PCI DSS compliance is an ongoing activity, not a one-off exercise. The payment transaction process has to be assessed each year. A simple rule is – if you don’t need to store it, don’t store it.

There are different levels of certification required dependent upon a number of factors:

• Level 1 certification
• Self-certification
• Service provider certification

You can only self-certify if you have never suffered a breach, and you are carrying out all card processing in-house, or are using the services of a third party that has attained Level 1 certification.

The third-party certification must be current and covered by the formal document called an AoC (Attestation of Compliance).

Here is where the difference between “compliant” and “certified” becomes critical. If you use a third-party solution that is declared as “compliant” it is true that the card details may never even reach your contact centre equipment or personnel – making it impossible for you to suffer a local breach. However, if the provider does suffer a breach of your card data, you would still be responsible for the loss suffered.

If the service provider is certified, they have at great expense been independently inspected to ensure a breach should be impossible and they will be covered by that third party’s professional indemnity.

Your contract with the outsourcer should reflect this chain of liability.

To maintain PCI compliance, a number of actions need to be completed every year – including:

• Training staff to follow PCI DSS procedures
• Making sure that you are only keeping data that is essential and ensure it is secure. (Note – some things you cannot store for any period. Information that you can store does not need to be encrypted, but it has to be secure.)
• Monitoring and controlling access to your e-commerce environment (i.e. making sure you have security controls for your e-commerce environment).

There is a much shorter list of requirements for those that are using a hosted solution; however, that hosted solution must be able to provide their Level 1 certification documentation.

Applications for PCI compliance should be made through the PCI Security Standards Council.

The consequences of potentially being non-compliant can be severe and can affect card transactions over the phone as much as any other channel.

In order to ensure no personal authorisation information is captured or stored when accepting transactions over the phone, here are some options to consider:

1. Automated Payment

A PCI-compliant Interactive Voice Response (IVR) payment system can remove your agents from the process of handling sensitive payment details.

When it’s time to make a payment, customers are transferred to a system that’s already PCI compliant, where they can enter their details and make the payment.

The potential disadvantage here is that for organisations selling products, or even for those processing charitable donations, for example, the handover to the IVR system can have an impact on the sale. Handing the caller over to an automated system takes the agent out of the loop, reducing the number of completed transactions.

If a call passes through equipment, even if no data is being recorded, then that equipment is in scope of PCI compliance. The method described here only works if all calls pass through the IVR payment system hardware, even if no card data is passed on those calls. The IVR payment platform would need to be certified if it was an external platform.

2. DTMF Suppression

DTMF suppression works by capturing the DTMF tones and altering them so that the cardholder’s details (such as card number, expiration date and service code) are not identifiable by the agent. The details are also not stored on the call recording. The customer is able to input their card information using their own telephone keypad, with the generated DTMF tones then being altered.

Only numeric data, typically the card number, the date of expiry and the CVV number is prevented from being exposed to the agent and the call centre environment.

The advantage is that the call recording is not paused, and that the agent and customer should be able to communicate throughout the payment process.

This solution is typically employed by cloud/hosted solution providers to prevent the card data ever reaching the call centre environment.

3. Automated Pause & Resume

With this approach, PCI compliance is achieved by ensuring the recording system stops during the payment process – when sensitive customer information is being given. This can be achieved by integrating the call recorder with the agent desktop or other transactional systems being used. Automated Pause & Resume ensures that when the agent enters the payment details screen, a trigger is generated to the recorder in order to stop recording.

Once payment has been passed beyond the payment screen, a second trigger is generated to restart recording. Although rarer in nature, another similar option is to mute/unmute the call recordings rather than pause and resume; however, this solution is dependent on the recording system that is currently in place.

This process only mitigates the call recorder issue when attempting to achieve compliance or certification. The agent and all of the equipment used, such as the internal telephone network and the PC LAN, are in scope of the PCI compliance process.

It is a common misconception that to pause recordings makes an environment compliant. It is just one of the myriad of items (frankly an easy element) that needs to be addressed to achieve compliance.

4. Network Security

It’s also critical to ensure your entire network system is compliant with PCI guidelines. This begins with an effective firewall and router, as well as internal processes that provide additional layers of protection.

All traffic from unsafe networks and hosts should be restricted, and there should never be any direct access between any network component containing cardholder data and the internet. You also need to ensure that only authorised personnel can access the section of the LAN where card data is processed, and that all access is audited.

The key here is to have IT security policies and procedures that provide total visibility of the entire network, all its connections and who is entitled to do what. Without this visibility, the network will be prone to weak links that can be exploited by cyber-criminals and hackers.

5. Role-Based Security

In any contact centre environment, agent and supervisor desktops should have role-based logins to limit the number of staff exposed to sensitive data and ensure individual staff members only have access to what they need to do their job.

For example, a sales representative might be able to view customer details, but they may not be able to update or delete them. A team supervisor may be able to view the performance of the team that they are assigned to, but they (supervisors) should not be able to view the performance of other teams within the same contact centre or project.

6. Restricted Access to Sensitive Data

Contact centres should also consider the points at which any staff come in contact with data to ensure proper security and compliance.

Access to sensitive customer and payment data should be restricted (e.g. limiting access to key areas of the building by adopting an RFID card system). All access passwords should also be strong (e.g. a mix of numbers, and lower- and upper-case characters) and changed regularly.

Companies should also maintain a policy that addresses information security.

What to watch out for when becoming PCI compliant

Being complacent

Compliance is not a single exercise, but an ongoing process of assessment and reporting. You need to constantly monitor and tweak what you have in place as fraudsters will always be on the lookout for weaknesses in an organisation’s approach.

The best advice is to work with your auditors and legal teams to ensure that you are continuously on top of the issue. Ideally, you should employ a full-time member of staff, dedicated to ensuring that PCI compliance is maintained at all times.

Accidentally capturing details with your call recording system

If you’re using something like a PCI-compliant IVR system, you’ll need to be aware of call recording. It’s no good to let customers pay via an independent system if you’re going to be recording the details they enter.

An effective way to handle this is with one-sided recording, where only agents are recorded during the payment process.

You also have to ensure that everything the card details come into contact with undergoes assessment for PCI compliance.

Password protecting your recorder

Although limiting access to your recording platform and providing each user with a personal login and password is good systems management practice, this still does not constitute PCI DSS Compliance.

Encryption

Initially a common belief was that if you encrypted the recordings this would comply with PCI DSS.

Further clarification has proven that it is only the Primary Account Number (PAN) that can be retained in an encrypted format. Sensitive authentication data such as the CVV / CV2 number cannot be stored, whether this be encrypted or not.

Audio masking

With this option, an audio tone is inserted over the section of the call when the payment is being processed, similar to that of a TV bleep machine.

While this may seem compliant, sensitive data is still being retained and the system therefore does not adhere to regulations.

Not determining the level of security in your contact centre

Ask yourself the questions below to determine the level of security in your contact centre:

a. Can you make your monitoring processes more rigorous?

Manual sampling of recorded calls or contacts provides little to no prevention of non-compliant behaviour or protection against litigation. Speech analytics technology can enhance your continuous monitoring capabilities and minimise costs by tracking every conversation and ensuring that the right PCI compliance procedures are in place.

b. Can you easily minimise or eliminate human error?

As some recording systems rely on a change in payment processing, agent intervention or integration with the CRM system when sensitive data is being collected, there is a reasonable degree of human error involved in these types of transactions. Speech analytics technology can prevent sensitive cardholder data from being recorded; call recording is automatically muted when account numbers, security codes, and other sensitive information is spoken.

c. Who has access to sensitive data?

To safeguard against data theft and mitigate potential disaster, it’s a good idea to evaluate which groups of agents have access to certain information. Information should be compartmentalised so that individual agents only have access to the specific information they need to do their job. Role-based logins, for example, can limit the number of staff exposed to sensitive data, which ultimately makes consumer data more secure.

d. What security questions are your agents asking customers?

Confirming a telephone caller’s identity prior to proceeding with a call relating to confidential information is also critical.

What steps is your call centre taking to reassure customers their personal information is being handled properly?

While the specific questions asked by call centres varies across industries, the most common security check involves a three-question verification of the caller: 1. account or reference number, 2. customer’s name, and 3. address or date of birth.

e. Is your customers’ data protected by physical security measures?

In addition to infrastructure, staff, and user security, contact centres should also take physical security measures to restrict access to sensitive customer and payment data. For example, call centres should restrict access to key areas of the building by adopting an RFID card system. Additional security measures may include surveillance cameras, as well as security staff with suitable background checks.

f. Can you prove that you acted in a way that was PCI compliant?

In the event that a customer complains or there is a compliance investigation, it is vital that you can prove that you operated in a compliant way. Interaction analytics technology that records every customer interaction makes it possible for you to recover individual customer interactions to prove that they were handled correctly. To be able to do this quickly and with certainty when needed can significantly reduce the potential brand damage for an open and unresolved complaint.

This is where the real cost of compliance is. Stopping card details being retained either by design or by unauthorised monitoring is reasonably easy. Providing the infrastructure and logging to prove that these activities have not taken place can be time consuming and expensive.

What are the consequences of not being PCI compliant?

Monthly fines for non-compliance

Organisations can be fined by banks and card institutions for non-compliance based on forensic research needed to remedy the breach.

Fines can range anywhere from £3,500 to £250,000.

These fines are not always just a lump sum, but can also be levied monthly. Fines can also be issued per registered point of sale device, so for an organisation with multiple devices taking payments – perhaps if they have lots of different locations – the scale of the fine could easily escalate.

The cost of the forensic investigation is borne by the company with the suspected breach, and the merchant can be liable for any fraud that takes place due to the breach.

Fines will be imposed in 2016 based on a percentage of global turnover

PCI failure means a loss of customer trust, which impacts the brand, customer loyalty and therefore the bottom line.

We have all seen the news on some of the UK data breaches during 2015, and the plunging share prices thereafter. If this wasn’t enough, then the fines imposed for a breach should also be enough to open most senior executives’ eyes to the need to take the standard seriously.

Expect to hear news of even more punitive fines in the offing for failure in 2016 as well, as they will now be imposed based on a percentage of an organisation’s global turnover.

Withdrawal of merchant services

If compliance isn’t met, the financial institution may be forced to terminate their relationship with an organisation, preventing them from accepting payments by card.

The withdrawal of merchant services essentially entails the withdrawal of their Merchant ID. For any organisations that rely on taking card payment from customers, this is the ultimate price for them to pay.

Loss of customer confidence

While being PCI compliant is extremely important, the trust your customers place in you should not be overlooked.

It is the organisation’s responsibility to protect each and every customer’s personal details. Providing your customers with the confidence that you are safeguarding their highly personal information is crucial.

There are lessons to be learnt from TalkTalk

Almost 157,000 TalkTalk customers had their personal details hacked in October 2015’s cyber-attack on the telecoms company, including 15,656 whose bank account numbers and sort codes were hacked.

TalkTalk came under fire when it was revealed that their customers’ personal data was not encrypted, and it admitted to a lack of compliance with web security standards for credit card payments and data handling.

In the wake of the news of the cyber-security attack, TalkTalk’s company share price dropped by 10% in the first few hours of the London stock exchange opening. It was estimated that the data security breach could cost the company up to £35 million. This figure is before the loss of existing and potential customers and the cost of the company’s damaged reputation is taken into account. They will clearly have to work hard to rebuild customer confidence and trust.

Being compliant with PCI DSS demonstrates that a business is doing its best to keep customers’ information safe and secure – and out of the hands of people who could use that data fraudulently.

What is key here is that compliance and even certification does not absolve the merchant from the consequences of a breach.

Most companies have the option of self-certification, which means that they have read, understood and followed the PCI guidelines and formally submitted the paperwork declaring this. If a breach occurs, they will still be liable.

If they are using a third party, they will not be able to achieve even self-certification unless the third party has achieved Level 1 certification. In order not to be liable for all of the consequences of any breach, their contract with the third party should reflect the level and limitations of liability.

How much should I budget for achieving and maintaining PCI compliance in the contact centre?

Prices for becoming PCI compliant vary from business to business and are reliant on a range of different factors – including business type, number of transactions processed, active IT infrastructure as well as existing debit/credit card processing and storage procedures.

This depends so much on the level of certification / compliance that is required.

Compliance without certification is not helpful for companies that operate as outsourcers. It is generally only useful to provide a level of confidence to in-house contact centres that a breach is less likely to occur having followed the guidelines.

Prices for maintaining PCI compliance

Level 1 certification requires approximately ½ a dedicated man-day per day for the various PCI specific activities in order to maintain compliance. The annual subscriptions for various anti-virus and intrusion detection systems alone can add up to tens of thousands.

To achieve compliance can be as simple as completing and submitting paperwork that declares all card data is managed within a certified third party. However, in the case of Level 1 certification, the controls are exceptionally onerous, and the changes in network infrastructure can take years of man-hours, and external consultancy time from the QSA.

A small company would likely look at around £500 to £5,000 annually for assessment, scanning and training.

For remediation it could be anywhere from £100 to £10,000, depending on their current levels of compliance.

Large companies would likely be seeing around £50,000+ per year for assessment, scanning and training.

Remediation can go from a probable starting point of £10,000 to maybe £100,000.

The technology you choose to implement

From a recording standpoint, the costs for PCI compliance depend on which solution is chosen.

Automated PCI using desktop triggering, for example, can range from approximately £7,000 to £30,000, depending on the recording solution.

For the application programme interface (API) the software costs can also vary (ranging anywhere from £7,000 to £20,000, depending on the solution), but there will be additional costs for development of the API interface itself.

However, it is worth considering that the API method may not always be appropriate – as the payment application may be an external application. API is best suited to ‘home-grown’ payment applications.

Added costs of staff training and physical security

Overall, budgets should also allow for the following:

• Staff training to ensure compliance
• IT security
• Physical security
• Interaction analytics technology (to protect the organisation from human error by automating compliance procedures as much as possible – and provide an audit trail to prove compliance if needed)

What have you done in your contact centre to become PCI compliant?

Share your tips

With thanks to the following for contributing to this article:

• Atiq Rehman at Business Systems
• Nigel Olding at Enghouse Interactive
• Lucille Needham at Genesys
• Kieron James at Nexbridge
• Chris Key at Hostcomm
• Steve Murray at IP Integration
• John Crites at CallMiner
• Justin Hamilton-Martin at Ultracomms
• We would also like to thank Darren Sullivan at Ultracomms for his detailed knowledge in fact checking this document.