To mitigate the increasing levels of fraud directed at MO/TO operations, the governing authority of the Payment Card Industry (PCI) Data Security Standard (DSS) issued an educational resource that details tactics and best practices for securely processing payment card transactions over the telephone. The new supplement outlines what card data call centers need to protect and how to do it.
The supplement, entitled Protecting Telephone-Based Payment Card Data Information Supplement, explains how the PCI DSS applies to cardholder data stored in call recording systems.
It also helps merchants determine what controls are necessary to ensure call recordings meet the PCI DSS, suggests methods for securing that data and offers guidance on how to implement security requirements. The PCI DSS mandates that sensitive authentication data, such as the three- or four-digit card verification value numbers on payment cards, cannot be retained by merchants, and that the full primary account numbers cannot be stored without certain security measures being implemented.
Thus, call centers that accept customer payment card details over the phone and then store recordings of those phone conversations on merchants' internal systems pose a risk of data theft and are not in compliance with the PCI DSS.
The PCI Security Standards Council (PCI SSC) believes the supplement is important for ISOs and merchant level salespeople because the threat landscape for fraud has migrated away from brick-and-mortar and e-commerce environments due to the successful application of risk mitigation strategies. Now, fraudsters are targeting MO/TO payments, where protections for sensitive cardholder data may be lacking.
At call centers, customer-service provider interactions are often recorded and stored digitally on internal systems. "And therefore what we see, as with many other of the breaches that take place, is that the criminals hack in remotely or occasionally hack in with the support of a rogue employee," said Jeremy King, European Director for the PCI SSC.
What makes call centers especially vulnerable is the volume of calls many centers receive, King added. "It's because they are dealing with so many calls per hour," he said. "There can be a lot of people interfacing directly with the cardholder and, therefore, there are lots of opportunities for the card data and the sensitive authentication data to be recorded."
Such data may be transferred from the call agent to a supervisor and be stored at multiple locations within the center, he explained. And, then, if the data gets backed up, "suddenly the whole infrastructure's awash with sensitive authentication data," he said.
According to King, many governments and law enforcement agencies require that call centers record customer interactions for purposes of verification. The U.K.'s Financial Services Authority, for example, mandates financial institutions that advise customers on mortgages "must have the call recorded to show that the person who was wishing to take out a mortgage did undertake the call," King said.
During that conversation, if a transaction is conducted and card data is taken, the PCI DSS requirements apply. "They must realize that [call centers] are the frontlines and that they have a role to play in protecting the cardholder data that comes in," King said.
"The IT specialists in the organization have a role to play to make sure this data is not just wandering through the systems, and also to make sure that they are locking down and securing their systems from external attack." King reports that more and more businesses with call centers are recognizing that they need to bring their centers into PCI compliancy. In fact, the supplement was created after the PCI SSC received feedback from some of its participating organizations that guidance was necessary. "This provides a good guidance for those who start asking the questions," King said.
The supplement can be accessed online at www.pcisecuritystandards.org/security_standards/documents.php under the Information Supplements heading.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next