While ransomware attacks tend to make headlines, payment card data breaches remain a serious threat. Fast food chains Checkers and Rally’s recently found malware in their point-of-sale (POS) systems that was designed to steal payment card information. Earl Enterprises, parent company of Buca di Beppo, Earl of Sandwich and Planet Hollywood, reported a data breach that likely exposed customers’ names, payment card numbers and expiration dates.
The Payment Card Industry (PCI) Data Security Standard (DSS) provides organizations with a set of guidelines for protecting payment card data. All organizations that accept payment cards are obligated to follow these rules, and those that don’t comply could face hefty fines and penalties if they suffer a data breach.
However, the 2018 Payment Security Report from Verizon found that just 52.5 percent of organizations were fully compliant — down from 55.4 percent the previous year. Many non-compliant organizations were found to lack fundamental security controls that would materially affect their ability to prevent a data breach. The contact center can be a source of noncompliance if payment card data is not adequately protected.
Security Controls Applicable to the Contact Center
As the focal point for customer interactions, the contact center typically contains payment card data and other personally identifiable information, making it in scope for PCI DSS. Because contact centers involve a complex interplay of technologies and processes, a number of PCI requirements come into play. These include:
- Build and Maintain a Secure Network. Contact centers based on IP telephony platforms route calls over the data network. The network must be protected by a firewall, and segmented to restrict traffic from unsafe systems.
- Implement Strong Access Control Measures. PCI DSS requires that access to payment card data be restricted to a “need-to-know” basis. Each agent and supervisor should have a unique login to the contact center system, with role-based access controls.
- Protect Cardholder Data. Organizations should use encryption, truncation, hashing and other techniques render payment card data unreadable when it’s stored in contact center, CRM and other systems.
- Regularly Monitor and Test Networks. Organizations should maintain an audit trail of all access to systems that contain payment card data, including contact center platforms.
A special set of problems arises when payment card data is manually collected over the phone. Contact center agents may write down payment card numbers, manually record them or share them via instant messaging. Call recording and monitoring systems may also capture payment card data in an unsecure manner. Such processes do not meet the PCI requirement for protecting cardholder data.
Special Considerations
To reduce the risk of noncompliance, organizations should consider implementing a secure interactive voice response (IVR) system that allows the customer to speak or dial the payment card data. The customer remains in voice contact with the agent, but the payment card information is automatically muted so that it cannot be recognized.
Organizations should also train agents to detect social engineering techniques known as “voice phishing” or “vishing.” Fraudsters use these techniques to obtain payment card numbers and other account information from busy agents who are simply trying to be helpful.
Finally, organizations should consider PCI requirements when implementing new technologies such as web chat, instant messaging, video conferencing and artificial intelligence tools. Security controls should be updated as the contact center environment changes.
With extensive experience in contact center platforms and a comprehensive suite of security and compliance solutions, Cerium Networks is uniquely qualified to help ensure your contact center is PCI compliant. Let us help you conduct a risk assessment and implement policies, procedures and controls that will reduce the risk of a payment card data breach.
