Contact and call centers collect a lot of data as the backbone of customer service. This information contains bank account numbers, social security numbers, and, most notably, payment card numbers. As a result, call centers must comply with PCI.
While addressing PCI DSS compliance requirements for call center operations is not their primary function, they are not exempt from compliance requirements. PCI Council (PCI SSC) provides additional standards for safeguarding cardholder data communicated via VoIP.
Call centers and organizations that accept credit card payments over the phone may not be sufficiently prepared to implement PCI DSS requirements. Below you can find critical components and potential design solutions to minimize the scope and risk of your PCI environment.
What Does PCI Compliance Mean for Call Centers?
Telephone systems in call centers have traditionally been excluded as the risk of man-in-the-middle attacks compromising phone-based credit card transmissions is generally considered low.
Many call center processes require customers to provide payment information to call center agents verbally. Agents then use a secure credit card terminal to enter their payment details. Quality assurance systems can be enhanced with ‘stop and resume’ functionality to prevent the acquisition of client payment information.
Historically, corporations were able to demand PCI compliance by using a mix of secure card readers and “pause and resume.” Still, these solutions only solve part of the problem because they exclude the user workstation from coverage.
The pause and resume feature prevents sensitive data from being stored in the call logs. Still, it does not address the underlying phone systems within the medium and the VoIP infrastructure to which the credit card number is transferred.
According to PCI SSC guidance, VoIP infrastructure is the second important part of the compliance equation and is still considered in scope for the organization’s Cardholder Data Environment (CDE).
The PCI Council released the Phone-Based Payment Card Data Protection fact sheet in November 2018 to reiterate that PCI scope applies to VoIP processes and provides additional guidance for securing phone systems.
Any voice traffic from the carrier network terminates on business-owned or operated equipment and is sent to a payment processor must be considered under PCI DSS, regardless of analog, digital, or VoIP transmission.
In addition, any telecommunications equipment owned and operated by a third party but hosted on the organization’s infrastructure to provide access to a public network must also be considered under PCI DSS.
PCI SSC guidance emphasizes that PCI DSS Requirement 4.1 applies wherever account data is transmitted over a shared or public VoIP service. Additional details on the PCI DSS call center compliance guide can be found here.
What Solutions Are Available to Help Your Call Center Achieve PCI Compliance?
All of the solutions mentioned below will allow you to reduce PCI scope and risk and move towards PCI compliance with varying degrees of effort and cost. DTMF muting solutions offer the highest level of security among the available options for protecting cardholder data and reducing the compliance effort required to maintain PCI compliance.
DTMF (Dual Tone Multi-Frequency) Suppression or Mute
DTMF is a technology in which agents use the voice frequency band over telephone lines to securely collect payment information and process transactions. With DTMF masking, customers enter their credit card information into their telephone handset instead of reading aloud to the agent.
The solution upstream of the vendor’s phone environment gathers data during this technique, and the agent cannot hear or see the credit card information details on their screen. Credit card information is masked on the agent screen and sent to the merchant’s processors via a secure environment to complete the transaction.
DTMF technology removes call center agent workstations and VoIP infrastructure from PCI scope by addressing both parts of the PCI compliance equation. Existing call recording functions can be left running in the background, and agents can remain online with clients while entering their credit card information.
How DTMF technology Works
DTMF muting solutions can be deployed on-premises or in the cloud depending on business and PCI compliance requirements. Regardless of the distribution model, the DTMF solution resides upstream of the vendor’s telephony environment. Inbound/outbound in-scope call paths are first routed to the DTMF environment through the vendor’s bearer provider.
The DTMF provider verifies the cardholder details entered and removes the credit card information with flat frequency tones. Clean data not covered by PCI is delivered to the vendor’s environment via the carrier provider to complete the transaction. This method prevents cardholder data from being stored, processed, or transmitted in the merchant environment.
Reduced PCI Coverage and Possible Risks
DTMF solutions reduce PCI scope for merchants as the VoIP infrastructure does not process or transmit cardholder data over voice or data links. Cloud deployment is a seamless model and can provide additional scope reduction benefits in minimizing the responsibilities of managing core infrastructures such as system hardening, patch management, vulnerability scanning, logging, and monitoring.
Because the infrastructure is hosted in the vendor’s environment, additional controls, such as physical security and network configuration restrictions, may be imposed if deployed on-premises the DTMF solution.
Business units must coordinate various groups, including business units, telecom, carrier providers, payment service providers, and even PCI QSAs, to effectively deploy the DTMF solution. In this way, you can gain maximum compatibility and security benefits.
Outsourced Call Center Operations
Organizations can outsource the processing of cardholder data to a PCI-compliant service provider to reduce liability and remove the scope of customer service processes and systems from the PCI environment.
When outsourcing call center functions, it is imperative to evaluate both the ongoing operational costs and the customer experience. Vendors outsourcing their call center operations will be responsible for significantly fewer PCI DSS requirements.
P2PE + Pause and Resume + Network Isolation
Depending on the processes available and the complexity of the environment, organizations may choose a combination of solutions; however, creating an isolated environment for PCI systems can be a daunting task in some cases.
For example, network re-architecture will be required to separate PCI systems such as VoIP infrastructure or PBX servers from the rest of the corporate network to limit scope drift.
P2PE credit card terminals will be used to exclude workstations from PCI coverage, and a pause and resume feature must be enabled. At the same time, payment information is collected to restrict the storage of cardholder data.
Moving servers, reviewing configurations, testing connectivity, and deploying new hardware requires additional resources to create, secure, and maintain a dedicated PCI environment.
Information security applications such as anti-malware, vulnerability scanning, logging, and monitoring are also covered in this scenario. The continual maintenance and support required to keep this system in a business-as-usual (BAU) state are crucial, and it necessitates the participation of numerous teams.
What Questions Should You Ask Your Call Center About PCI Compliance?
You should ask your vendor if they are PCI-DSS compliant and how they plan to stay compliant. However, depending on the services the seller will supply, you may wish to inquire about the following:
- What kind of editing services does the call center provider, particularly for calls containing credit card numbers? PCI-DSS establishes tight guidelines for the storage of credit card numbers. Companies can’t preserve these figures in their raw form, whether digital, audio, or paper. Even if your system maintains a credit card number for future usage, it must do so using encryption so that only the last four digits are visible to employees. Call centers that record calls for quality assurance should have a way to prevent credit card numbers from being kept in these audio files to comply with PCI-DSS.
- How is credit card information protected from unauthorized access? Multiple levels of protection are required by PCI-DSS, including need-to-know access and login monitoring. Inquire about how your call center vendor restricts access to information and maintains access logs.
- What type of network security is used? PCI-DSS requires stringent network security as it aims to reduce the exposure of consumer payment information. Ask call center vendors what kind of protocols they implement and their plans in case of a breach.
Call centers that deal with credit card data should have a detailed PCI compliance process policy guide. One way to ensure your call center is compliant is to ask for a copy of the PCI manual and ask questions to determine if actual day-to-day processes are compliant with policies.
What are Risky Applications for Call Centers?
PCI DSS compliance is a step forward for call centers, but some legacy applications can compromise data security. Therefore, contact centers should avoid these practices at all costs.
The main applications that call centers should be abandoned are as follows:
- Unsafe audio operations. Many mobile users today are looking for a business when considering a purchase. This means that many customers can spell their credit card data over the phone. This can have serious ramifications, as data theft affects more than just voice transactions. They also lack the encryption that is provided by a secure transaction mechanism. As a result, call centers must avoid risky voice operations.
- Unauthorized access to payment information. Unauthorized access to payment information may compromise cardholder data. Therefore, access to payment data should be restricted. Customers should be advised not to share their credit card data with call center agents.
- Sharing sensitive cardholder data. Requires cardholder data to be shared. Sharing of cardholder data should not be allowed. Call center agents should be trained on how to handle cardholder data securely. In addition, this training should cover the legal situations where data sharing is allowed.
- Not reporting risky situations. Businesses are prone to dangerous situations. Call centers are no exception to this. Many call centers think they can handle difficult situations on their own. However, this is a mistake, and failure to report complex problems can lead to significant data breaches. Therefore, when a system violation is signaled, it is recommended that contact centers report it.
- Unsupervised outsourcing. The use of outsourcing, which is inadequate and without necessary controls, will also increase cyber security risk. For this reason, essential security measures should be taken in outsourcing, and regular audits should be carried out.
- Using pen and paper. Some contact centers still use pen and paper to write down cardholder data. This is a significant risk for credit cardholders. A piece of paper can go missing, and anyone who finds it can use that data to make illegal purchases. For this reason, call centers should prohibit the use of pen and paper.
- Allowing mobile phones in the call center. Allowing cell phones doesn’t just hinder productivity. But it also carries the risk of data leakage. Cell phones are subject to malware targeting. If a mobile phone’s microphone is hacked, cardholder data can be recorded. For this reason, mobile phones should not be kept in call centers.
It’s important to remember that solid data security and compliance always involve more than checking a box and calling it “done.” As a result, contact center compliance with PCI DSS is a must. It is also essential to abandon outdated applications to ensure the security of payment data.
Protecting your valuable corporate data and your customer’s sensitive information is an ongoing process. The good news is that adhering to PCI DSS is always time and effort well spent. It benefits customers by assisting in the protection of their sensitive data and assists businesses in a variety of ways, including avoiding costly penalties and assisting in the prevention of potentially reputation-damaging data breaches.
PCI Compliance Best Practices for Call Centers
Accepting payments through multiple channels to maintain an omnichannel business is an integral part of business operations for many merchants. Still, it dramatically complicates the already complex task of protecting cardholder data in a PCI-compliant manner.
Contact centers continue to be the payment platform of choice for customers who want to speak with a live agent. Typically, contact centers collect both cardholder data and personal data to complete transactions.
As call centers evolve to serve their customers, they also grow to protect the sensitive data entering their environment. However, this evolution towards easier use and greater flexibility can also expand your organization’s attack surface and potential for data breaches.
So, how can call centers to stay PCI compliant while assuring customers that their information is safe? PCI compliance best practices for call centers can be found here:
Redaction: According to the PCI Security Standards Council, recorded calls are subject to the exact requirements of other techniques for obtaining and keeping consumer card authentication data. When credit card numbers are stated, some recording systems allow call center operators to use a button to pause recording. On the other hand, others interface with the CRM system to automatically pause recording based on the agent’s activities.
Use Point-to-Point Encryption (P2PE) Solutions: A widely used solution for our customers utilizes PIN pad devices that support Point-to-Point Encryption (P2PE). These PIN pad devices connect to a USB port on a desktop computer and have a keypad for entering payment card data. P2PE solutions read the encrypted PAN as soon as it is entered and transmit encrypted data directly and integrates with contact center applications in conjunction with the encryption PIN pad device. Only tokens are returned to the contact center for additional processing and storage and sensitive cardholder data from an organization’s systems. This portion of the cardholder data environment is excluded from PCI compliance.
Minimize Your Sensitive Data: Data minimization or de-scoping helps reduce the scope and amount of PCI compliance checks. It may appear self-evident that the most straightforward method to reduce your data compliance requirements is to avoid storing sensitive data in the first place. Still, for most organizations, this is impossible. To accept payments or perform other business-required tasks, you must obtain payment card information and personal data. But this inevitability doesn’t mean you can’t make a concerted effort to map the data on your systems and evaluate what types of data you need to store and which can be purged from your network. Cardholder data not stored on your internal systems are not covered by PCI compliance.
Network Security: It’s also crucial to make sure that the complete network infrastructure follows PCI standards. This begins with a well-functioning firewall and router and internal processes that add extra levels of security. All communication from unsecured networks and hosts should be controlled, and no network component carrying cardholder data should have direct access to the Internet.
Segment Your Network: If your organization receives payment card information or other sensitive data through a contact center, one of the best PCI compliance solutions strategies you can implement is network segmentation. This strategy will reduce the scope, enforceable controls, and overall time required to evaluate this segment of your network. Network segmentation reduces PCI scope by dividing the cardholder data media into separate networks to allow different levels of data access. In this way, you can limit which parts of the network can touch cardholder data and restrict which employees can access the information. In a flat network with no segmentation, any employee or individual with access to an organization’s network could potentially access all the company’s data. This would pose a significant security risk.
Role-Based Security: Role-based access should be used in a contact center environment to limit access to sensitive data and ensure that employees only have access to what they need to perform their jobs. A sales representative can view customer details but cannot update or delete them. A team supervisor can see the performance of the assigned team but should not be able to see the performance of other groups within the same Call Center or project.
Physical Security Considerations: In addition to role-based security, contact centers should also consider the points at which any personnel comes into contact with data to ensure appropriate security and compliance. Therefore, access to sensitive customer and payment data should be restricted. Make sure all of your access passwords are secure and that you change them frequently.
PCI Compliance Documentation: Any organization that stores, processes, and transmits cardholder data must meet PCI compliance regulations. You must create all necessary policies, procedures, forms, checklists, templates, and other supporting materials for call centers and make sure you know all the rules.
Use Whiteboards Instead of Pen and Paper: Preventing your agents from utilizing pen and paper in favor of whiteboards is one of the simplest methods to maintain PCI compliance. Whiteboard use will limit the physical storage of customer details. Be sure to follow a set of whiteboard rules, such as ensuring an agent cannot be removed from their desk and cleaning them regularly.
Ban Cell Phones in the Call Center: Another simple and sometimes overlooked step is to ban cell phones in the call center. You can eliminate the danger of important call center information being leaked to an agent’s personal device by taking this action.
Prohibit Personal Items and Bags: Personal belongings and bags should be prohibited during study sessions. Agents are also advised to go through security checks when entering the building.
Encrypt Sensitive Data: Encryption is an accepted best practice when it comes to storing sensitive business data, and in the case of PCI compliance, it is essentially a requirement. PCI requirements specify that cardholder information must be stored using strong encryption with key management processes and procedures. It is also worth remembering that PCI DSS Requirement 3 states that no CVV code can be stored. However, suppose the business needs other cardholder information such as name, account number, and expiration date. In that case, you are allowed to retain them as long as you meet a set of conditions regarding encryption level and key management. PCI compliance requires a strong encryption level with a minimum key strength of 256 bits. In terms of key management, the PCI compliance best practice is that the organization storing the cardholder data does not have access to the key. If decryption is required, there should be a documented set of processes covering key distribution, storage, and named custodians.
Consistently Enforce PCI DSS Compliance: A prevalent trap that call centers fall into is seeing PCI DSS compliance as an annual practice. This approach can lead to problems and possible compatibility errors. Instead, PCI DSS compliance should be viewed as an ongoing process. Administrators must ensure that PCI DSS controls are consistently applied.
Train Your Employees: PCI DSS compliance should be considered in tool training. Security awareness training is a requirement under PCI DSS requirement 12.6, which requires organizations to establish and implement a formal security awareness training program. Security awareness training ensures that your employees become familiar with their responsibilities in helping your organization become or remain PCI compliant. Training should be done annually and should include a verification method. Awareness training on information security should be ongoing, especially for representatives who exhibit risky behaviors that lead to compliance failure. Managers should participate in conversations with underperforming agents and help them stay aligned at all times.