Steps to achieve Call Center PCI Compliance
As the central hub for customer engagement, Call Centers collect, process, and store a wide variety of personally identifiable information (PII) including payment card data, addresses, birth dates, bank account details, social security numbers, medical information and much more. As a result, most Call Centers fall under the scope of compliance for the Payment Card Industry’s Data Security Standard (PCI DSS), which requires that this sensitive data be protected through stringent IT security controls.
PCI compliance for Call Centers is especially critical to maintain customer trust and business reputation. After all, what company would want to do business with a call center that compromises customer data, ends up in the news or on the wrong side of a regulator?
Risk can be particularly high at Call Centers. That’s because large volumes of cardholder data (e.g. card numbers, CCV codes, expiration dates) is gathered nearly round-the-clock and commonly shared across multiple businesses and contact center channels. So, it’s important for these companies to assess and ensure their PCI compliance rigorously and continuously.
Most Call Centers must prove their compliance annually be undergoing an audit by a certified PCI Qualified Assessor (PCI QSA) firm such as ERMProtect. Qualified Security Assessor (QSA) companies and their professionals are independent security organizations that have been qualified by the PCI Security Standards Council to validate an entity's adherence to PCI DSS. Call centers that meet the PCI DSS standards following their annual audit are issued a Report on Compliance (commonly referred to as a ROC), which is an attestation by the PCI QSA firm.
To help Call Centers in this endeavor, we are presenting some tips to help achieve and ease the path to PCI QSA certification.
Reduce scope by not recording credit card information
According to the PCI standards, recorded calls are subject to the same rules as any other method of capturing and storing customer card authentication data. Some recording systems provide call center agents with a button, allowing them to pause the recording when credit card numbers are spoken, while others integrate with the CRM system to automatically pause the recording based on actions taken by the agent. It is best if call recording is automatically muted when account numbers, security codes, and other sensitive information is spoken. Companies that prevent recording payment information reduce scope as those calls are not in scope for a PCI audit.
Ensure network controls
It is critical to ensure an entire network system is compliant with PCI guidelines. This begins with an effective firewall and router, as well as internal processes that provide additional layers of protection. All traffic from unsafe networks and hosts should be restricted, and there should never be any direct access between any network component containing cardholder data and the Internet.
Consider network segmentation to reduce scope
One of the best PCI compliance strategies companies can employ is network segmentation. This strategy will reduce the scope, applicable controls, and overall time required for assessing this segment of your network. Segmentation reduces scope by breaking up a cardholder data environment into separate networks to allow for varying levels of data access, meaning a company can limit which parts of its network touch cardholder data and mitigate risk by restricting which employees can access the information.
Establish access controls
In any call center environment, agent and supervisor desktops should have role-based access to limit the number of staff exposed to sensitive data and ensure individual staff members only have access to what they need to do their job. For example, a sales representative might be able to view customer details, but they may not be able to update or delete them. A team supervisor may be able to view the performance of the team that they are assigned to, but they should not be able to view the performance of other teams within the same Call Center or project.
Limit access to credit card information
In addition to role-based security, Call Centers should also consider the points at which any staff comes in contact with data to ensure proper security and compliance. Access to sensitive customer and payment data should be restricted including physical access, e.g., limiting access to key areas of the building. Personal items or bags should be prohibited at the workstation, and it is recommended that agents pass through a security check when entering the building.
Establish strong passwords
Companies should also make sure that all passwords are strong, e.g., a mix of numbers, and lower- and upper-case characters that are changed regularly.
Create policies and procedures
Call Centers who deal in credit card data should have a detailed PCI compliance process policy manual. Companies need to create clear and easy-to-follow policies and procedures. Because PCI compliance involves everyone in the Call Center as well as many systems and technologies, agents must be trained on PCI compliance policies and procedures. These best practices should be adjusted and documented annually for new threats. Such policies include firewall policy, incident and breach response, business continuity policy, agent computer and mobile device policy, information security policy, and so forth.
Ban pen and paper
One of the easiest ways to stay PCI compliant is to stop agents from using pen and paper and use a whiteboard instead. This step will limit the physical storage of customer details. Just be sure to maintain a number of white board rules like ensuring they cannot be removed from an agent’s desk and also ensuring that they are cleaned regularly.
Ban mobile devices
Another really straightforward and sometimes overlooked step is to ban mobile phones in the call center. By taking this step you can eliminate any potential for sensitive call center information being leaked onto an agent’s personal device.
Encrypt credit card information
While the PCI regulations do not mention encryption explicitly, they do say any cardholder information should be stored using “strong cryptography with associated key-management processes and procedures.” It is worth remembering PCI Requirement 3 states that no CVV code may be stored at all. However, if the business requires other cardholder information like name, account number, and expiry date, they are allowed to store it so long as they meet a number of conditions concerning the level of encryption and key management. PCI compliance requires a strong level of encryption with a minimum key strength of 256 bits. In terms of key management, a PCI compliance best practice is that the company storing the cardholder data should not have access to the key. If decryption is essential, there must be a documented set of processes in place that covers things like key distribution, storage, and named custodians.
Establish periodic training
it is important to train employees on policies and procedures. PCI compliance should be built into the agent training process, and ongoing training and coaching should be provided during the year. Refresher courses can be useful to retrain agents or educate employees on any new company policies. It is important to instill the basics, including locking the computer when leaving a workstation, frequently changing passwords, and being aware of surroundings.
Continuously Enforce PCI
Many Call Centers consider PCI compliance as an annual exercise. This approach can lead to problems and potential compliance failure. Instead PCI DSS compliance should be looked at as an ongoing process. Compliance is not a project you can complete and never revisit. Compliance needs to be updated on an ongoing basis, enforced continuously, and reassessed on an annual basis.
Consider a PCI QSA Readiness Assessment
At ERMProtect, we recommend organizations undergo a readiness assessment before the actual audit. This will expedite the certification process and a help ensure a successful result.
Our QSAs possess one or more industry-recognized professional certifications in Information Security (e.g. Certified Information System Security Professional (CISSP), Certified Information Security Manager (CISM)) and/or Security Auditing (e.g. Certified Information Systems Auditor (CISA)). These designations demonstrate a commitment to professional standards and continuing education that keeps our professionals at the forefront of an ever-changing security landscape.
Get a curated briefing of the week's biggest cyber news every Friday.
Intelligence and Insights