Why PCI advice from a QSA is increasingly vital
Achieving PCI compliance standards isn't a 'set and forget' activity like getting a health check. Just because you were healthy in November doesn't mean you're healthy in February.
"Are we PCI DSS compliant?" That's what every business needs to know from an independent Qualified Security Assessor (QSA). But now there's a second question being asked with some urgency: How can I make telephone payments secure for customers — in a way that's sustainable?
Achieving PCI DSS compliance isn't a 'set and forget' activity like getting a health check. Just because you were healthy in November doesn't necessarily mean you still are in February. In fact, this kind of 'annual event' mind-set can create a false sense of security, warns the PCI Security Standards Council.
"Forensic investigators have discovered that security controls deployed by organisations that had passed an assessment were often out of compliance when breaches occurred at a later date," explains the Council. "It’s only by achieving and maintaining compliance that your cyber defences will be adequately primed against attacks aimed at stealing cardholder data," it advises.
So what practical advice can QSAs offer to clients that want to achieve PCI compliance standards in a way that's reliable and long-lasting?
Many companies find transactions especially tricky to lock down — and criminals are taking advantage. Card Not Present (CNP) fraud currently accounts for 47% of all card fraud. So what's out there that can stop them?
Firewalls, Encryption and Staff TrainingAlthough each of these methods is good for general corporate security and maintaining best practice, none can be regarded as a safeguard against CNP fraud. So it's shocking that almost one fifth of contact centers rely on this risky approach. They could easily find themselves at the center of a data breach and a devastating media storm.
Almost half of contact centers have separate processes for handling telephone transactions, such as clean rooms, 'pause and resume' recordings and segregating credit card handlers from other agents. Costly to maintain and often giving customers a disjointed experience, these measures can close down some routes to fraud but they leave others wide open. Human errors can be a particular weakness. Determined thieves can also find a way through, even if mobile phones and notepads are banned in so-called clean rooms.
More contact centers are teaming up with external partners that provide DTMF masking solutions. Typically this involves the calling using their keypad to enter card details, while staying in conversation with the agent. The numbers are masked when they appear on the agents' screens and the keypad DTMF tones are masked/flattened out, making them indecipherable at the time — or from call recordings. Fully hosted systems that take this approach actually remove contact centers from the PCI DSS audit scope, massively reducing complexity, cost and risk.
This is a newer way for companies to de-scope their contact centers from the PCI audit. Any sensitive numbers typed by callers are replaced with 'token placeholders'. These tokens are worthless to criminals but enable payments to process as usual. What makes this process especially attractive is the speed of deployment and the fact a company doesn't need to change its systems.
If you can find a solution provider with the right PCI credentials, experience and reputation- DTMF Masking or Audio Tokenization will be the recommended choice. These methods don't play 'cat and mouse' with criminals, they end the game completely.
Organizations can save themselves from a never-ending cycle of staff screening, training, complex security procedures and hoping the worst will never happen. They get lasting peace of mind from data breaches and fraud too — not just for a few months, but years. Discover more by downloading your free copy of Guide for QSAs.
This year is the 40th anniversary of the classic 1978 sci-fi movie Invasion of…
While the US retail industry is reeling from what has been declared by some as…