Tuesday, December 4, 2018
Updated PCI Security Standards Council (PCI SSC) guidance, published Nov. 28, 2018, addresses the increasingly complex landscape of accepting payments by phone. Spearheaded by a PCI SSC Special Interest Group of call center and technology experts, Protecting Telephone-based Payment Card Data outlines best practices for mitigating fraud by removing sensitive data from scope.
Ben Rafferty, global solutions director at Semafone and Special Interest Group member, said the council last issued call center guidance in 2011, and the landscape has evolved significantly in recent years. The new guidance pertains to a new set of risks posed by Voice over Internet Protocol (VoIP), softphones and chatbots, he said, noting that these emerging technologies are potential targets for card-not-present fraud.
"Because protecting payment card data within contacts centers is the core of Semafone's business, we invested our time to share our expertise for the new guidance," Rafferty said. "Drawing from our experience descoping enterprise contact centers around the globe, we hope to provide clarity on securing these critical payment channels."
Recommended scope reduction techniques include masking technologies that make payment card data indecipherable to call center agents or advanced routing schemes that send card data directly to processors. These techniques have been shown to simplify compliance, safeguard data and build customer trust, experts noted.
Following are additional areas, identified by the council, in need of scope reduction:
Michael Simpson, security analyst at SecurityMetrics, said phone-based payments are widely used by call centers, universities and fundraisers. These companies should not be storing cardholder data and sensitive authentication data and CVV codes; merchants that accept credit card payments over the phone need to implement solutions that stop recording when data is entered, he noted.
"Unfortunately, any time you have human intervention, you'll make mistakes," he said. "Systems designed to pause when sensitive data is transmitted may still contain sensitive data because the agents forget to use the feature."
Simpson went on to say that merchants must submit annual risk assessments to their acquiring banks to get buy-off on storing sensitive data. However, not all large call centers are merchants; some are just service providers, he stated. In these cases, service providers should ask their merchant bank and merchant service provider for a copy of their annual risk assessment to make sure their storage methods are approved and compliant, he added.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.