Contact and call center environments can create a security and compliance nightmare for organizations subject to the Payment Card Industry Data Security Standard. Although accepting payments via multiple channels in order to maintain an omnichannel presence is an integral part of business operations for many merchants—both in terms of maximizing revenue and offering the best customer experience possible—it greatly complicates the already complex task of compliantly protecting a cardholder data environment. Because PCI call centers accept manually entered payments via unique methods, such as dual-tone multifrequency (DTMF) and interactive voice response (IVR), it not only exposes additional channels to PCI compliance, but it also introduces the individual employees responsible for overseeing those methods into scope.
Contact centers continue to be a preferred payment platform for customers who want to talk to a live agent. Typically, contact centers collect both cardholder data and personal data to complete the transactions. As these centers evolve in how they serve their customers, they also evolve in how they secure the sensitive data that enters their environments. However, this evolution toward easier use and greater flexibility can also expand your organization’s attack surface and potential for a data breach. Further, you also have to contend with the compliance concerns mentioned previously.
Here are a few ways to secure payment card information collected at call centers in a compliant manner in accordance with the PCI DSS.
If your organization ingests payment card information or other sensitive data via a contact center, one of the best strategies you can employ to achieve PCI compliance is network segmentation. This strategy will reduce the scope, applicable controls, and overall time required for assessing this segment of your network.
Segmentation reduces scope by breaking up a cardholder data environment into separate networks to allow for varying levels of data access, meaning a company can limit which parts of its network touch cardholder data and mitigate risk by restricting which employees can access the information. In a flat network—a network without segmentation—any employee or individual with access to an entity’s network would potentially be able to access all data a company possesses. This would obviously pose a tremendous security risk.
Common methods of network segmentation include firewalls, virtual local area networks (VLANs) and routers, but the viability of these solutions can be challenged by an increasingly mobile environment that enables employees to access sensitive information from multiple devices and locations. As such, the process of segmentation has become increasingly complex and difficult—read: expensive.
Point‐to‐Point Encryption (P2PE)
A commonly used solution that we implement for our own customers leverages PIN pad devices that support Point-to-Point Encryption (P2PE). These PIN pad devices (from Magtek, Ingenico, Verifone, ID Tech, and others) connect to the USB port on a desktop computer and have a keypad for entering payment card data. The TokenEx P2PE service integrates with contact center applications in conjunction with the encryption PIN pad device, reading the encrypted PAN as it is entered and transmitting the encrypted data directly to the TokenEx Cloud Security Platform. Once the encrypted cardholder data reaches TokenEx, it is decrypted, tokenized, and stored offsite. Only the token is returned to the contact center for additional processing and storage, removing the sensitive cardholder data from an organization’s systems and that portion of the cardholder data environment from the scope of PCI compliance.
For many organizations, contact centers have become the nexus of omnichannel commerce. Learn how to make that shift:
Similar to segmentation, data minimization helps reduce the scope and amount of controls of PCI compliance. This practice is sometimes also referred to as descoping. It might seem obvious that the easiest way to minimize your data-related compliance obligations is not to store sensitive data in the first place, but for most organizations, this is impossible. You have to ingest and keep payment card information and personal data on file to accept payments, secure reservations, track rewards, or perform other tasks necessary for business. However, this inevitability doesn’t mean you can’t make a concerted effort to map the data in your systems and evaluate which types of data you absolutely must store and which can be scrubbed from your network. Any cardholder data that is not stored in your internal systems does not fall underneath the umbrella of PCI compliance.
This is an obligation under standard 12.6 of the PCI DSS, which requires organizations to create and implement a formal training program for security awareness. This familiarizes your employees with their individual responsibilities for helping your organization become or remain PCI compliant. The program is designed to increase employees’ working knowledge and awareness of PCI requirements so that they can handle cardholder data appropriately in the event that they encounter it in the course of completing their everyday work tasks. These programs must occur annually and also include a method of verification to be provided to assessors to confirm the course took place, thus ensuring compliance.
Another effective tactic for addressing the growing compliance concerns surrounding call center environments is to deploy cloud tokenization. Cloud PCI tokenization can secure and desensitize any data element while minimizing risk, reducing the scope of PCI compliance, preserving the business utility of the original data, and virtually eliminating the risk of data theft.
Tokenization replaces the original, sensitive data with a nonsensitive placeholder called a token. This token can retain portions of the original data—such as the first six and/or last four digits of a credit card number—while still devaluing it by rendering it undecipherable and irreversible. The original, sensitive data is then stored in a secure cloud vault outside of the organization’s call center environment, removing that portion of the organization’s internal systems from the scope of PCI compliance. In the event that a breach of that environment does occur, the exposed tokens will be worthless to hackers, and the sensitive data will remain secured safely offsite. With cloud tokenization, sensitive data never enters your environment, which helps you achieve maximum risk reduction.
Reduce Your Scope
Ultimately, no matter which technology or method you choose for securing sensitive cardholder data to achieve PCI compliance, it is impossible to totally remove your environment from PCI scope. Even if you qualify for streamlined compliance checks such as an SAQ A, you are still responsible for ensuring your organization’s people, processes, and technology meet the requirements of the PCI DSS. However, by leveraging the tactics detailed above to move toward data minimization and maximum scope reduction, you can take the pain out of PCI compliance.