Blizzards ahead? Contact centers dash for compliance base camp
31 Oct 2023
31 Oct 2023
Unfortunately, meeting the March 2024 deadline for the first phase of PCI DSS 4.0 could feel like getting to Everest base camp for contact centers. But how should you press on to reach the summit of the new payment security standard in 2025? Here’s some expert advice.
PCI DSS 4.0 has been years in the making – with payment security experts finding ways to keep one step ahead of criminals. New and nefarious tactics are countered with significant level-ups in security. And the upcoming PCI DSS 4.0 standard will make these a requirement for contact centers.
As with any mountain to climb, teams need a map, a plan, and an eye on the seasons. In recent months, contact centers have been focused on March 31, 2024 – when PCI DSS v3.2.1 will be replaced with PCI DSS v4.0 in its first incarnation, which includes 13 changes for merchants.
Once you've met these initial requirements, you've hit base camp where you can take stock and plan ahead for the next push towards the summit. That’s because another 51 specifications come into effect 12 months later on March 31, 2025, all of which are designed to defend against the ever-evolving threat from cyber criminals.
The PCI Security Standards Council has been busy helping organizations to get ready for both dates — and Eckoh was privileged to host a webinar with one of its Vice Presidents, Jeremy King.
You can watch the full webinar here. But we’ve picked out some of the issues explored which will be especially relevant to contact centers:
Requirement 3.2.1: Any sensitive authentication data stored prior to completion of authorization is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes.
Key point: From the moment sensitive data enters your organization, you’re responsible for its security, whether it’s arrived via voice or maybe a digital channel. The time spent with this data should be as brief as possible before it’s gone.
Requirement 3.3.2: Sensitive authentication data stored electronically prior to completion of authorization is encrypted using strong cryptology.
Key point: Under the new rules from March 2025, you can’t have sensitive data in a clear text format anywhere on your systems. Encryption is essential.
Requirement 5.4.1: Mechanisms are in place to detect and protect personnel against phishing attacks.
Key point: Criminals will target agents and impersonate colleagues to try to steal people’s login credentials, access point details or other information. One tactic they use is to put employees under time pressure to act quickly to give up their details because of a supposed deadline or emergency. All staff should receive security training, including around phishing attacks. And if something happens, staff should be encouraged to report this as soon as possible. Anti-spoofing technology and software to block phishing emails and malware should also be deployed.
Requirement 6.3.2: Maintain an inventory of bespoke and custom software to facilitate vulnerability and patch management.
Key point: Be aware that the release of every patch signals a starting gun for criminals. It means they know there’s an error that can be exploited and they’ll be looking to compromise systems before these are patched.
Requirement 7.2.4: Review all user accounts and related access privileges appropriately.
Key point: When people’s roles change, check they have the correct privileges. Often, they won’t need to access specific systems anymore. The fewer access points across an organization, the lower the risk of an attack.
Requirement 10.4.1.1: Audit log reviews are automated
Key point: Any security failures must be detected and addressed swiftly. But IT teams won’t have the time to review tens of thousands of logs each week. That’s why automated tools must be deployed to flag up any issues.
The Eckoh team also provided webinar attendees with important advice for their journey to full PCI DSS 4.0 compliance. Here are five takeaways:
1) Consider using a trusted partner: The best way to avoid many of the requirements around PCI DSS 4.0 compliance is to prevent payment card data from entering your environment at all. Using a trusted partner to handle payments on your behalf can save you from having to touch sensitive data yourself. Suddenly, the burden of PCI DSS 4.0 becomes far lighter.
2) Appoint a task force: Whether you take on the full weight of compliance or work with a partner, it’s important to take a ‘whole business’ approach to PCI DSS 4.0. Pick a project manager for your task force, assign a project sponsor, identify stakeholders, and have meetings with department heads. The new standard is much stricter and seeks to embed compliance as an ongoing activity, not an annual exercise. Therefore, it’s key to create a culture of ‘continuous compliance’ – backed by C-suite support.
3) Work closely with a Qualified Security Assessor (QSA): Together, you’ll identify gaps that need fixing. Consider all your channels and edge cases. Increasingly, customers expect more connected experiences across a wide range of contact channels and emerging digital payment methods. Extend your compliance accordingly.
4) Don’t overlook the cloud: Cloud providers have their own security credentials. But these apply to their infrastructure and not the virtual environments that organizations manage. You must keep these secure yourself. Talk with your cloud provider and gain a clear understanding of where each other’s security responsibilities start and stop.
5) Always consider the customer and your team: With any changes you make to comply with PCI DSS 4.0, make sure the cure isn’t worse than the cause. Avoid clunky security methods that degrade your service. The customer and agent experience must remain paramount. Compliance and intuitive technology can sit together comfortably.
You can also contact Eckoh directly for advice on your journey to PCI DSS 4.0.