It is often assumed by businesses that the Payment Card Industry Data Security Standard (PCI DSS) is something that only the retail sector needs to worry about, but this is far from the truth. All businesses that handle credit card data in any format – in shops and stores, online or even over the phone – need to be conscious of their responsibilities.
Utility providers depend heavily on contact centres which handle vast volumes of customer data, and this means they should be fully aware of the flow of personal information through their telephony, desktop and back end fulfilment systems. PCI DSS compliance and safeguarding of customers personal details must be a priority as they move forward.
As we head into a new decade, the threat of a data breach is greater than ever. PCI DSS compliance is still the most effective way utility providers can prevent this and is a great foundation towards meeting other data compliance requirements, such as GDPR (General Data Protection Regulation).
There are 12 main requirements laid out, relating to how a business processes sensitive cardholder data, allowing businesses to form a logical checklist of requirements from which they can work to build good habits and achieve compliance.
The first part of the process is to accurately map out the flow of credit card data information through the organisation. For contact centres, this will include spoken card details passing through IT networks and telephone platforms (including call recording systems), the contact centre agent desktop environment and back end processing/CRM (customer relationship management) systems. This flow of card data is called the CDE (card data environment) and each individual item within it needs to be analysed to ensure it is as secure as possible.
Build and maintain a secure network
General IT security obviously applies to PCI DSS compliance and this includes installing and maintaining a firewall configuration to protect cardholder data. Businesses must always remove vendor-supplied default passwords, and ensure firewalls and network switches are fully patched to be running the latest firmware.
PCI DSS has strict rules on which items of credit card data can be stored and how this stored data must be protected. For instance, the three-digit security code on the back of a credit card cannot be stored post-authorisation: all traces must be removed from an organisation’s systems. It’s vital to protect stored cardholder data and encrypt the transmission of cardholder data across open, public networks so even if the worst happens and systems are hacked into, no data can be read.
Maintain a vulnerability programme
Organisations should ensure they have developed and continue to maintain secure systems and applications at all times, ensuring any vulnerabilities are patched as soon as possible.
Compliance with PCI DSS rules require year-round adherence, patching known software vulnerabilities within one month of an official patch being released by the manufacturer. Surprisingly, the Verizon Payment Security Report 2019 found that only 36.7 per cent of organisations actively maintained PCI DSS programmes throughout 2018, a drop of around 20 per cent on 2017 figures.
Employees should have access only to the data they need and this should be tightly controlled. Access to sensitive data, such as cardholder information, should be available only on a need-to-know basis. All system components should be secured using identity authentication and physical access to cardholder data needs to be restricted.
Regularly monitor and test networks
An organisation’s networks should be regularly tested – including both security systems and processes to ensure they are as secure as possible.
These requirements were conceived to give businesses a solid overview of how they can go about protecting themselves and their customers, but the most fundamental place to start is to limit the amount of data that is handled in the first place. If a business doesn’t hold or process the data, they aren’t liable for its protection. So de-scoping contact centres from the requirements of PCI DSS should be a prime objective.
It is also a good idea for everyone within the organisation to understand PCI DSS and what comes with it – it should not be kept to a few senior management and IT faces. Ultimately, if everyone is pulling in the same direction, data security is much easier to maintain.
PCI DSS compliance isn’t optional; it is a standard and must be maintained. Failure to comply carries with it a number of consequences.
Do bear in mind, therefore, that while compliance with the PCI DSS is an obligation, it is far more than just ticking a few boxes to remain in good standing. It is about building trust with customers and guaranteeing the success and profitability of an organisation for the long term.