Why PCI DSS advice from a QSA is increasingly vital

Achieving PCI compliance standards isn't a 'set and forget' activity like getting a car MoT. Just because you passed in November doesn't mean you're safe in February.

"Are we PCI DSS compliant?" That's what every business needs to know from an independent Qualified Security Assessor (QSA). But now there's a second question being asked with some urgency: How can I make telephone payments secure for customers in a way that's sustainable?

Achieving PCI DSS compliance isn't a 'set and forget' activity like getting a car MoT. Just because you passed in November doesn't mean you're safe in February. In fact, this kind of 'annual event' mind-set can create a false sense of security, warns the PCI Security Standards Council.

"Forensic investigators have discovered that security controls deployed by organisations that had passed an assessment were often out of compliance when breaches occurred at a later date," explains the Council. "It’s only by achieving and maintaining compliance that your cyber defences will be adequately primed against attacks aimed at stealing cardholder data," it advises.

So what practical advice can QSAs offer to clients that want to achieve PCI compliance standards in a way that's reliable and long-lasting?

Many companies find transactions especially tricky to lock down and criminals are taking advantage. Card Not Present (CNP) fraud is currently costing £400 million per year and growing by 17%. We took a look at some of the traditional and more innovative approaches deployed to secure telephone payments.

Firewalls, Encryption and Staff Training
Although each of these methods is good for general corporate security and maintaining best practice, none can be regarded as a safeguard against CNP fraud. So it's shocking that almost one fifth of contact centres rely on this risky approach. They could easily find themselves at the centre of a data breach and a devastating media storm.

Separate Processes

Almost half of contact centres have separate processes for handling telephone transactions, such as clean rooms, 'pause and resume' recordings and segregating credit card handlers from other agents. Costly to maintain and often giving customers a disjointed experience, these measures can close down some routes to fraud but they leave others wide open. Human errors can be a particular weakness. Determined thieves can also find a way through, even if mobile phones and notepads are banned in so-called clean rooms.

DTMF Masking

More contact centres are teaming up with external partners that provide DTMF masking solutions. Typically this involves the calling using their keypad to enter card details, while staying in conversation with the agent. The numbers are masked when they appear on the agent's screens and the keypad DTMF tones are masked/flattened out, making them indecipherable at the time or from call recordings. Fully hosted systems that take this approach actually remove contact centres from the PCI DSS audit scope, massively reducing complexity, cost and risk.

Audio Tokenisation

This is a newer way for companies to de-scope their contact centres from the PCI audit. Any sensitive numbers typed by callers are replaced with 'token placeholders'. These tokens are worthless to criminals but enable payments to process as usual. What makes this process especially attractive is the speed of deployment and the fact a company doesn't need to change its systems.

If you can find a solution provider with the right PCI credentials, experience and reputation, DTMF Masking or Audio Tokenisation will be the recommended choice. These methods don't play 'cat and mouse' with criminals, they end the game completely.

Organisations can save themselves from a never-ending cycle of staff screening, training, complex security procedures and hoping the worst will never happen. They get lasting peace of mind from data breaches and fraud too not just for a few months, but years.

Discover more

Get your copy of our e-Guide 'How to secure contact centre phone payments' and see how it's done. if you’d like to know more about how secure payments can benefit your organisation then give us a call on 08000 630 730 or drop us an email at tellmemore@eckoh.com.

Posted by eckoh at 10:15 AM on Feb 6, 2017


Recent Posts

Does it feel like it's panto season in your contact centre every day? If so,…


We've all watched on in horror ... as an out-of-control child creates havoc at a…


Are customers mysteriously falling out of love with your business — despite your…