Navigating the Payment Card Industry Data Security Standard (DSS) requirements in the contact center can be daunting, but it can be much more manageable with the guidance of an outside expert. To help share some useful insights on PCI DSS compliance, we spoke with Bill Franklin, Director Payments at Coalfire, for the next installment of our “QSA Q&A” blog series.
A Qualified Security Assessor (QSA) with more than 25 years of experience in the information technology industry, Bill is certified in providing guidance on IT governance, management and security. He has extensive expertise in IT regulatory security requirements and IT control frameworks and standards across a multitude of industries, including banking and finance, higher education, state and municipal government, retail, healthcare, software service providers and contact center services.
Semafone: Hi Bill. Thanks for joining us today. First off, can you clarify what types of businesses must be PCI DSS compliant?
Bill: Simply put, any entity (whether a merchant or a service provider) who is responsible for and/or has access to Cardholder Data (CHD) or the Cardholder Data Environment (CDE), must comply with the PCI DSS. This includes organizations who process, transmit or store CHD (electronically or on hardcopy), and organizations who can impact the security of CHD and/or the CDE.
S: What should businesses know about PCI DSS reporting requirements?
B: It is always up to the acquirer or merchant bank to determine how an entity reports compliance since they are responsible for the compliance of the merchants in their portfolio. The card brands (AMEX, Discover, JCB, Mastercard, Visa) issue guidance for reporting requirements based levels which are determined by the number of transactions a merchant or service provider handles. While each card brand has different reporting requirements for each level, there are some general guidelines.
S: Can you elaborate?
B: For example, Level 1 merchants with over 6 million transactions are required to complete on-site assessments, while self-assessments are sufficient for Level 2, 3 and 4 merchants with fewer than 6 million transactions. Similarly, Level 1 service providers with over 300,000 transactions are required to conduct on-site assessments, whereas Level 2 service providers with fewer than 300,000 transactions may conduct self-assessments.
S: What is the difference between an on-site and a self-assessment?
B: An on-site assessment requires an independent-certified Qualified Security Assessor Company (QSAC) to perform the PCI DSS Assessment to determine compliance. The QSAC will assign a QSA to perform the assessment. However, if a merchant has Independent Security Assessor (ISA) on staff, the ISA can perform the assessment. In both cases, the QSA or ISA will attest to the compliance status along with the merchant or service provider.
On the other hand, a self-assessment does not require a QSAC or ISA to perform the PCI DSS assessment. The business can complete the Self-Assessment Questionnaire (SAQ) and attest to its compliance status. For a merchant, the acquirer or merchant bank will determine which of seven SAQs they must complete depending on how they handle CHD. For a service provider, entities can only use an SAQ D, which is the full set of requirements for a PCI DSS assessment.
S: In your opinion, what are the biggest repercussions of non-compliance with PCI DSS?
B: The biggest repercussion of non-compliance with PCI DSS is being prohibited from accepting a credit card brand. If your business accepts Visa for a large percentage of its revenue, and Visa no longer allows you to accept its cards, you could go out of business. However, incurring fines from the acquirer or merchant bank is the most common consequence of non-compliance. It is up to the acquirer or merchant bank to set the amount of the fine, and I have seen companies fined $5,000 per month on the low end, and up to $25,000 per month on the high end. These amounts could increase based on the extent of the non-compliance situation.
A repercussion that is not often considered is the increased risk of a data breach. While compliance does not equal security, having controls in place that meet PCI DSS requirements for protecting CHD lowers your risk of a breach. If a breach should occur and you are not compliant, your fines and potential liability could be much higher. Maintaining PCI DSS compliance demonstrates a due diligence regarding the protection of CHD and could lower liability and fines.
S: In a typical contact center environment, what is in scope for PCI DSS? Are there areas that the business may not even realize are in scope?
B: Typical areas of compliance for the contact center environment where CHD is processed include: physical security of contact center workstations and network equipment; workstation configuration security; workstation updating and patching; security awareness training for contact center agents and customer service representatives (CSRs); hardcopy CHD in written form by contact center agents/CSRs; security of recorded spoken CHD; and spoken CHD transmitted over the network via VOIP.
Yet, many contact centers do not realize that recordings of calls that contain CHD and the transmission of spoken CHD across their network via VOIP are in scope. This is especially problematic for those contact centers who require callers to verbalize card data.
S: Why are call recordings especially challenging when it comes to PCI DSS compliance?
B: Call recordings are stored in audio files on a file server. When these recordings contain CHD, they must be protected, which usually means encrypting them and applying all the associated controls. In addition, the file server(s) that stores the recordings is in scope for PCI DSS compliance and must meet appropriate requirements such as configuration hardening, patching, updates, access control, monitoring and logging.
Further, when sending a recorded call that contains CHD to a client via email, FTP or any other transmission over the open Internet, the file must be protected. In addition, any employee within the call center who has access and/or listens to the recording containing the CHD is now in scope and must meet applicable PCI DSS requirements.
S: What is your best advice for complying with PCI DSS and recording calls (whether for regulatory, quality assurance or training purposes).
B: As with any CHD – whether it resides electronically in a database, on a call recording, or in hardcopy form – the best solution is not to store it in the first place. Even if the CHD is not recorded, it is best to prevent the contact center agent from hearing the information, which could result in fraudulent activity. In fact, there is no requirement in the PCI DSS to store CHD. Also, there are very few, if any, reasons to store CHD, as processors provide solutions for dispute resolution and recurring transactions without the need to store the data.
S: Semafone frequently runs into companies who opt to put off their compliance projects and initiatives. If PCI DSS compliance is so important, why do some companies delay?
B: There are many reasons why entities delay PCI DSS compliance including costs, lack of resources and conflicts with other company initiatives. In the case of a merchant, if an acquirer or merchant bank has not asked the business to report its compliance, it may not even realize the need to be compliant. Or, since there is no pressure to report compliance, the merchant may put it off until it is notified to do so. In the case of a service provider, if clients for whom they are handling and/or protecting CHD do not ask for proof of PCI DSS compliance, the service provider may delay until they are required by a key client to provide proof.
In some cases, a merchant or service provider may believe their security controls are in place and there isn’t a need to go through a PCI DSS assessment. Ultimately, this is a risk-based and business decision for any company.
S: Thank you, Bill. We appreciate your time!
To hear more from Bill on PCI DSS compliance and call recordings, check out our on-demand webinar, “PCI DSS Compliance in the Call Center: The Perils & Pitfalls of Pause & Resume Call Recording,” here.