How To Ensure PCI DSS Compliance (And Why Most Get It Wrong)
In 2021, a massive data cache containing 3.2 billion accounts associated with a variety of services was exposed in one of the largest PCI data breaches in the world.
Oddly enough, news of such events as the COMB data leak gives a false sense of security as these massive events feel like one-off misfortunes. But the reality looks very different. According to the Identity Theft Resource Center's 2021 Data Breach Report, there were 1,862 breaches affecting 294 million people last year, making it the highest recorded number ever.
Interestingly, all recent data breaches would not have happened if the company was compliant with the Payment Card Industry Data Security Standard (PCI DSS) regulations.
Today, I want to walk you through what PCI DSS actually means and whom it applies to before going into more detail about what you need to do to be (and stay) compliant.
What Is PCI DSS & Whom Does It Apply To?
The PCI DSS is an information security standard designed to tighten security measures concerning payment cardholder data to decrease fraud. It was created in 2018 in collaboration with the major payment card organizations, namely American Express, Discover, JCB, Mastercard, and Visa, and is administered by the PCI SSC (Payment Card Industry Security Standards Council).
Similar to other compliance regulations, everyone who processes, stores, transmits, or manages payment card data must comply with the PCI DSS. This includes any merchants that accept debit or credit card payments — even if payment card processing has been outsourced to a third party — as well as service providers who process, store, or transmit on behalf of another entity.
What Are The PCI DSS Compliance Requirements?
There are 12 requirements companies have to meet in order to be PCI DSS compliant:
- Limit access to cardholder data by installing and maintaining a firewall
- Never use default passwords (and practice good password management)
- Protect cardholder data, whether it is being stored, transmitted, processed, or in its physical form
- Always encrypt cardholder data when transmitting it over public or open networks
- Install and maintain anti-virus software or programs to protect yourself against malware
- Develop and maintain secure systems and applications, promptly patch vulnerabilities, implement adequate security mechanisms, and so on
- Restrict access to cardholder data on a need-to-know basis
- Each person with computer access must have a unique identification
- Physical access to cardholder data must be restricted (e.g., keycards to your data center)
- All access to the cardholder data and the network resources must be tracked and monitored (e.g., for suspicious activity)
- Test security systems and processes with regularity
- Create and maintain an information security policy for all employees and contractors
As you can see, these requirements are very broadly defined and need to be properly interpreted depending on your situation.
Why Is PCI DSS Compliance Important?
When asked about the top three challenges impacting their call centers in 2021 in the CGS survey, an astonishing (and scary) 36.2% of respondents said that customer data security and fraud prevention was one of their main concerns, after keeping up with the changing nature of business due to COVID-19 (58.1%) and the availability of labor (40%). And they were rightfully concerned.
One of the most well-known recent breaches involves Target losing 40 million cardholder details after not updating their $1.6 million malware detection solution for three weeks. This mistake cost them nearly $18.5 million in settlements and $202 million in legal fees.
But organizations have to worry a lot more about negligent and even malicious employees and subcontractors than external hackers as internal causes are the most common reason for payment card fraud. About half the time, crimes are committed for financial gain, but one in three employees will cause issues just for fun, while 22% of issues are simply the result of human error.
Regardless of the cause, PCI data breaches and payment card fraud are very expensive, and for smaller or not-as-financially-sound companies, they can easily mean the end of the line.
How Do You Ensure Compliance In Your Contact Center?
Despite the extensive damages caused by data breaches and fraud, the Verizon 2020 Payment Security Report found that only 27.9% of organizations are able to maintain full PCI DSS compliance! A large number of organizations have some elements in place but largely rely on agents to act in accordance with the regulations.
The Chinese general Sun Tzu and author of "The Art of War" once said: “Plan for what is difficult while it is easy, do what is great while it is small.” This quote very much applies to PCI DSS compliance as it is much easier to be prepared (meaning compliant) than it is to be audited or to experience a data leak or breach which can lead to being sued by the customer themselves, by the state, and/or by the payment card company.
In addition to the requirements above, here are a few suggestions that will help you pave the road to PCI DSS compliance:
- Remember that any call recording solution is a tool used to meet your goal of compliance; it is not a guarantee. Just like you need to update your malware protection, you will need to train your agents and ensure that everyone follows protocol.
- Do not rely solely on encrypting your call recordings as most PCI theft happens internally.
- Minimize the chance of human error by automating security and compliance in the background. For example, use AI-driven redaction to detect a number string (e.g., three numbers in a row) and silence the call recording and hash out credit card numbers in the transcript so you do not have to rely on your agents pausing and resuming call recording (manual intervention) to enter cardholder details.
- Reduce human negligence by automating cyber-security-related processes. For example, enforce IT security policy adherence by automatically resetting passwords after X months.
- Use live monitoring and screen recording to identify training gaps and possible negligence, and as a deterrent for malicious behavior. For example, four agents might not know that they are not compliant when they write the cardholder details in Notepad, knowing that those details will be needed again at a later point in the conversation.
- Contact centers have high turn-over rates. Have a defined, well-documented onboarding and training procedure paired with a highly automated process.
- Minimize the amount of data you are generating. For example, do not use video during sales calls that involve monetary transactions so you can reduce the risk of exposure. It is much easier to redact a credit card number from a call transcript than to blur it out on a video.
With MiaRec's Call Recording and Voice Analytics solution, you can rest assured that you have a secure and feature-rich solution that enables you to achieve and maintain PCI DSS compliance.
Our AI-driven speech engine can recognize any string of numbers (such as debit and credit card numbers, but you can also use our engine to protect social security or other sensitive numbers) and redact them automatically, minimizing your risks tremendously. In addition, all call recordings are encrypted, whether they are stored or transmitted. Last, but not least, our solution offers the ability to simultaneously record multiple screens per agent as well as the capabilities to live monitor your agents' calls, making it easy to be compliant.
Share this
You May Also Like
These Related Stories