PCI DSS, Policies and Security Awareness in Call Centres
Considerations for Certification of Call Centres according to the Data Security Standard of the Payment Card Industry
Copyright (C) 04/2008 by Howard Fuhs
As companies increasingly handle their customer communication and business processes through Call Centres, it is not astonishing that this economic sector can announce significant expansions year after year. Regardless whether it is for marketing purposes, customer relationship management (CRM), or taking orders, the communication between customers and company is routed through a call centre.
In some cases call centres are coming in contact with sensitive data which must be protected. In this article I would like to take a look at the problem of handling sensitive credit card data / cardholder data in a call centre environment. According to the Data Security Standard of the Payment Card Industry credit card data is especially worthy of being protected. And the standard applies to all companies, areas, systems and persons, that process, store or transmit credit card data and applies not only to digital systems but also to printouts, receipts, etc. as well as physical data storage entities where credit card data are stored.
Basics
The PCI Security Standards Council (PCI SSC) is an open supranational organisation, which is responsible for the continuous development, improvement, dissemination and implementation of security standards aiming at the protection of credit card data. The PCI SSC was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International and, with this backing, it represents almost the whole credit card industry.The involved duties and objectives are the definition and development of the PCI Data Security Standard as a common basis of the security programs from VISA and MasterCard as well as the prevention of theft and misuse of credit card data. It also leads to a significant increase of the general security standard in credit card industry and a reduction of liability risks.
The Payment Card Industry Data Security Standard (PCI DSS) consists of 6 control objectives which are containing 12 requirements with approx. 160 guidelines.
Objective | No. | Requirement |
---|---|---|
Build and Maintain a Secure Network | 1 | Install and maintain a firewall configuration to protect cardholder data |
2 | Do not use vendor-supplied defaults for system passwords and other security parameters | |
Protect Cardholder Data | 3 | Protect stored cardholder data |
4 | Encrypt transmission of cardholder data across open, public networks | |
Maintain a Vulnerability Management Program | 5 | Use and regularly update anti-virus software |
6 | Develop and maintain secure systems and applications | |
Implement Strong Access Control Measures | 7 | Restrict access to cardholder data by business need-to-know |
8 | Assign a unique ID to each person with computer access | |
9 | Restrict physical access to cardholder data | |
Regularly Monitor and Test Networks | 10 | Track and monitor all access to network resources and cardholder data |
11 | Regularly test security systems and processes | |
Maintain an Information Security Policy | 12 | Maintain a policy that addresses information security |
The certification requirements for merchants and service providers depends on the amount of processed transactions and on the amount of accepted credit cards in different levels. There are 4 levels for merchants and 3 levels for service providers.
Practical considerations
As the PCI DSS may provide clear code of practice on the technical side there must be special considerations on the human side. If all technical measures are put into place it needs only the regular control that all implemented security functions are working properly to fulfil the standard. If the technical side is solved it is not going to make any more work than a few hour of control activities per month to stay compliant.The human factor in a call centre is providing more problems when it comes to security considerations. Usually a lot of people are working in a call centre. And if the call centre provides a 24/7 availability people are working in 3 or 4 shifts per day. Furthermore the change rate of employees is higher than in the average workplace as the working stress is high and the wages are low. So one may say very well that the weakest link in the call centre security compliance chain is man itself.
To cope with that problem two solutions need to be establishes. Policies which are easy to teach and understand, and proper and repeated security awareness programs as a training for the job before the new employees get in touch with their first customer.
Security Awareness Program
Every call centre agent has to attend a security awareness program as a mandatory education tool. This can be a lecture or an online education. At the end of the awareness program a little exam must be passed. In all cases it must be documented that the user has attended successfully the security awareness program. The security awareness training must be repeated on a regular base. The interval between two security awareness programs should not be longer than 1 year and it should begin upon hire.Policies
Policies are a two-edged sword for maintaining information security in an organisation. If they are written well they can be used to educate employees about the company stance towards information security. On the other side policies are providing legal freedom as every employee was informed about his daily duties in information security with all its legal implications. This process requires employees to acknowledge in writing that they have read and understood the company’s information security policy.Policies must be written in a way that a non-technical person is able to understand the policy and their intention. This means the policies must be written in plain language and must be short. It is a fact that huge policy books will not be read, not even noticed by users as they are daunted by the wording and the size. It is no problem to boil policies down to a user friendly wording and size, products which are providing instant policies to solve that problem are already available on the market. Furthermore the policies should be divided in three categories, for users, for technical administrators and for management. It is obvious that policies for technical administrators are quite uninteresting for the average mortal user, same goes for management-specific policies.
With a mandatory security awareness program and security policies written for specific target audiences it should be possible to cope with the obstacles caused by human behaviour on the way to PCI DSS compliance.
Copyright (C) 04/2008 by Howard Fuhs