The aim of the Payment Card Industry (PCI) Data Security Standards (DSS) is to safeguard the security of customers’ card payments and payment card data, including for ‘cardholder not present’ transactions in contact centers, 12 headline requirements list over 300 individual mandatory controls dealing with the cardholder data environment (CDE) that is ‘in scope’ of the regulations. This specifically involves the Personal Account Number (PAN, or long card number) and the sensitive authentication data (SAD) or CVV/CV2.
The PCI Standards are regulated by the PCI Security Standards Council, the global body set up by the card brands (Visa, Mastercard, American Express etc.) and of which Syntec is a participating member. Their latest guidance on protecting telephone-based payment card data, published in 2018, states that
“For organizations committed to taking payments over the telephone, consideration should be given to techniques that minimize exposure of PAN and SAD to the telephone environment and balance that with user/customer experience requirements, with the object of significantly reducing the CDE or eliminating the CDE altogether.”
So the consensus amongst security experts on the best way to achieve PCI DSS compliance is to stop the card numbers entering the contact center at all, to ‘de-scope’ your agents, the contact center environment and call recordings from the PCI DSS regulations. This means for instance ensuring that the agent is no longer exposed to the sensitive card numbers during the process of taking payment, nor capturing them in call or screen recordings or exposing them in your network, whether the payment is by phone or using digital channels such as e-mail, webchat and SMS.
Why does PCI DSS compliance matter?
Data security breaches can be catastrophic for your organization. Just one instance can damage your reputation beyond repair and open you up to the possibility of law suits, insurance claims and lost customers from which it may take years to recover – including from much higher fines for data breaches with the advent of GDPR data protection applying to European citizens.
Complying with PCI DSS means that your systems are secure and customers can trust you with their payments. Merchants and service providers are now required to certify to their acquiring banks that they are compliant.
PCI DSS controls
Amongst the recommendations which apply to contact centers which do handle cardholder data, it is worth highlighting:
- It is a violation to store sensitive card data after authentication without proper protection, including in call recordings – and in particular it is prohibited to store/record the CVV/CV2 at all.
- Where it is necessary to record calls (for quality control or regulatory purposes), appropriate technology should be introduced to prevent the recording of these elements.
- The PAN must not be held in a manner accessible to others and should be masked in part if/when displayed (e.g. last 4 numbers only).
- Encryption should be used when storing or transmitting sensitive data, which particularly stresses the need to avoid using unencrypted VoIP telephony.
- Agents and homeworkers who do have access to card details should be tightly supervised to ensure that they are not able to store or transmit sensitive client data (known as ‘clean rooming’).
The PCI Security Standard Council (PCI SSC) guidance on Network Segmentation concludes that
“Effective segmentation can greatly reduce the risk of CDE (Cardholder Data Environment) systems being impacted by security weaknesses or compromises originating from out of scope systems.”
But network segmentation is in addition to, rather than instead of, PCI DSS compliance. It is important to remember that the contact center environment is very much in scope if handling card payments and requires annual assessment or audit (depending on merchant level) against all the relevant PCI DSS controls, unless you take steps to de-scope this environment by stopping the card data entering the contact center in the first place.
Point to point encryption (P2PE) and DTMF masking
Two solutions often considered by merchants to meet the requirements of PCI DSS are point-to-point encryption (P2PE) and DTMF masking.
- Point-to-point encryption (P2PE) encrypts card data on a pin pad before it enters your data network, keeping the sensitive cardholder data away from your systems and network.
- DMTF masking allows your contact center to take card payments securely using dual-tone multi-frequency (DTMF) capture technology, with the customer using their telephone keypad to provide their payment card data, while the agent and customer remain in conversation (or via customer self-service IVR).
DTMF masking has the greater benefit over P2PE of taking your entire contact center out of scope, including your agents and call recordings which would still remain in scope using P2PE (read more about this topic here).
What a payment security expert says:
Kevin Dowd, PCI DSS QSA & Group Chairman, CNS
What consumers say
- 63% say there have been times when they have not bought something due to concern about payment card security when paying over the phone
- Only 8% of consumers strongly agree that organizations they buy from over the phone will keep their personal and card details secure
- 81% of consumers would not give their card details to a company they knew had had a data breach
- When asked how call center managers should best ensure the security of their payment card details, consumers select DTMF masking as the most popular option
Source: Syntec consumer research, 2018
What contact center IT & Ops managers say
- 62% agree that they too are reluctant to make payments over the phone in their personal life