Guide for QSAs: How to secure contact center phone payments

Transcription

1 Guide for QSAs: How to secure contact center phone payments The current strategies being used to meet PCI Data Security Standards in contact centers. But which ones work, and which ones should you suggest to clients? Click: Call: Visit: LinkedIn: company/eckoh-plc

2 FACT: CNP fraud is rising - fast! Payment fraud is a like a giant balloon - you squeeze one end and the other end gets bigger. This is much like the way criminals work - the law clamps down one method of fraud (e.g. the introduction of EMV/chip and pin) and the criminals just move on to less secure environments. Card Not Present (CNP) transactions (ecommerce, mail order and phone payments) are more vulnerable to fraud than face-to-face transactions. Not just because there's no-one to physically validate them, but the vast majority of purchasing occurs over the phone, on a computer or through mobile phones. 76% of all fraud is associated with remote purchase CNP transactions. [3] As criminals focus more on CNP transactions, merchants can no longer keep their heads in the sand. CNP fraud losses are running at $5.2 billion [1] in the US, and are expected to reach $7 billion by 2020 [2]. [1] Statista.com [2] Aite Group [3] FICO 2018 Page 01

3 Why Payment Card Industry Standards matter in contact centers? As a QSA for PCI DSS compliance, you ensure organizations are fulfilling their responsibilities. You're under pressure to uncover hidden areas that payment data may leak into, or possible fraud targets. You're also seen as a trusted advisor by organizations when an area of non-compliance emerges, and they will turn to you for guidance on how to change their methods accordingly. So what do you suggest for a contact center which has payment data touching agents, networks, processes and telephony? For years, the pause and resume method was the accepted route, and many QSAs would sign this off as 'compliant'. But with more ways to intercept data in transit through the whole contact center, pause and resume cannot deal with the risks on its own. Let's look at why... Page 02

4 What's the risk? The telephone is a notoriously difficult payment channel to secure. Traditionally, customers read their card data over the phone to an agent, who manually inputs that data to their systems. This puts that data at high risk in several areas and within PCI DSS scope: Customer reads card data out loud - the agent and any bystanders can hear this information. It's also captured on call recordings. The agent types the card data into their systems - the data touches the whole IT environment including CRM systems, screen recordings, desktop, LAN and telephony systems, which can be intercepted in transmission by key/screen loggers or hackers. So it's little wonder that IT and Compliance Managers are left scratching their heads deciding how to best tackle these risks. Saks & Company - Sept 2014 Small scale high consequence breach 1 employee Stole 22 card numbers $400,000 fraudulent purchases Security breach hit the headlines Huge reputational damage to Saks Page 03

5 How are organizations tackling it? Many contact center organizations are changing their approach to how they deal with customer information coming in through their agents. Some are using robust technological methods while others are trying to sort it out themselves by making adjustments to their internal processes. A small majority are still under the illusion that they are invincible and will never be breached. In September 2018 the Verizon Payment Security Report found that only 39.7% of companies in the US were fully PCI DSS compliant. In Eckoh's own contact center survey in 2017, we found that 80% of the methods that contact centers used to secure payments do not, on their own, ensure compliance. Worryingly, 65% of them still use manual processes and training. Page 04

6 #1 Denial: "Fraud won't happen to us!" Unbelievably, 65% [4] of US contact centers only use basic security as their main fraud deterrent, using manual processes and training to ensure correct handling of payment information. These contact centers also rely heavily on firewalls and other security related equipment to prevent breaches to systems and use encryption software for areas that store customers information. Although these are good practice measures and form part of basic systems security, they are certainly not fail-safe and often span generic systems without any specific focus on one department s activity or processes. When breached, it often spells financial and reputational disaster for the organization involved. In their 2014 report, Verizon found that over the last ten years of investigations, 100% of companies were not compliant at the time of the breach. [4] Eckoh-Contact Babel survey 2017 Page 05

7 #2 Segmenting: Payment zones, clean rooms, 'pause & resume' recordings There are still many contact centers that separate their payment processes. This includes creating clean room environments or segregating credit card handlers from other agents. These processes are generally good practice but there are still security gaps. Call recordings and data collected on PCs and networks are still exposed, so these techniques do not adequately address the full PCI DSS requirement scale. Some contact centers transfer calls from one agent to an unrecorded extension where a second agent takes the customer s payment card details. Other systems need agents to manually pause and resume recording using buttons on their screen or handset. These methods are open to human error. Standards and regulations are continually evolving, making gaps to achieve compliance ever greater. It is also well known that the PCI Security Standards Council prefers solid, technology-based solutions. Page 06

8 #3 Tone blocking: Traditional DTMF masking An increasing number of contact centers use external vendor DTMF masking technology where the caller uses their telephone keypad to enter their card details. As a fully hosted deployment the technology prevents card data from ever entering the contact center environment. Using their keypad, customers enter their card details when prompted by an agent. The agent cannot see or hear the details as the system hides card entries on the agent screen and blocks the DTMF tones from being recorded. Automated IVR versions of this system are also used for customers that make discretionary payments. Owing to the increased volume of home-based and remote agents joining the workforce, DTMF blocking and masking methods are proving to be the most flexible, resilient and secure form of contact center compliance. They can be applied to all or parts of the contact center and as well as the obvious PCI DSS de-scoping benefits. Organizations are also finding that outsourcing their requirement reduces a potentially massive drain on internal resources and time. Page 07

9 #4 Audio Tokenization: The latest technology Not to be confused with Payment Service Provider (PSP) tokenization, Audio Tokenization is the most recent method to enter the market for PCI DSS de-scoping in contact centers. It is also the most secure, as it de-values card data before it even enters the organization. Tokenization is commonly used by Payment Service Providers (PSPs) to for recurring payments. They send a token (a substitute for the real card number) to the merchant after the initial payment, so it will recognize it for future purchases. However, the card number has to first go through the merchant environment before the PSP processes it. With Audio Tokenization, the customer enters their card details using their handset. The DTMF tones and card data are then tokenized before it enters the contact center environment and prior to the PSP receiving it, securing the whole process and keeping card data out. Many organizations are choosing tokenization methods over encryption for their CNP channels for their heightened security benefits as unlike encryption, tokenization can de-scope entirely. Page 08

10 What solution should you recommend? Ensuring organizations fulfil their PCI DSS responsibilities is your mission. You don't want to see your clients go it alone, embarking on costly infrastructure rebuilds, or using methods prone to human error or data leaks - enough to fail an assessment. You want to help your client identify the best and most secure option to become compliant quickly. If your advice is to enlist the help of a PCI DSS accredited Service Provider, make sure they will take on as much of the PCI burden as possible. The Service Provider will offer sound technology based solutions that fully de-scope a contact center and will help them tick off the majority of questions that a contact center operator needs to answer. DTMF Masking and Audio Tokenization methods are the most effective ways to secure contact center for PCI DSS. These are managed services offered by PCI DSS Level One Service Providers and have strong cost, resource, operational and security benefits. It is important to understand these options when you are next asked for a recommendation. Page 09

11 Still undecided? As a PCI DSS Level One accredited Service Provider since 2010, we know what it takes to reach the meet the rigorous PCI DSS requirements every year. We've since helped hundreds of contact centers achieve their PCI DSS goals. Our clients have all gone through the auditing process themselves and would most likely agree that our CallGuard solution is the most flexible on the market. No matter how complex their infrastructure is, or how little or how much they want to de-scope their contact center, we have provided a version of CallGuard that fits their needs perfectly. And the best part is, it has lifted a huge fraud risk off their shoulders. Page 10

12 About Eckoh If you would like some impartial information, just drop us a line or give us a call. Our PCI DSS compliant secure payment suite of products protects payments made over the phone or web: CallGuard- Secures payments made over the phone using DTMF masking or Audio Tokenization, on a premised or hosted basis Live Chat Pay - secure payment within the chat session Alternative Payments - extending payment security to Apple Pay, Google Pay and Paypal. Contact us today to see how Eckoh could help contact centers move towards PCI DSS compliance. Click: tellmemoreus@eckoh.com Call: Visit: