Your Best Practice Guide to PCI DSS Compliance

Anwesha Roy

The importance of PCI DSS for businesses of every size

Strategy
Your Best Practice Guide to PCI DSS Compliance

Established in 2006, the Payment Card Industry Data Security Standard (PCI DSS) is a vital compliance rule for any organisation collecting, storing, and processing payments data. While it is not legally enforceable, PCI DSS violations are considered serious security flaws that could invite large penalties or even lead to a data breach. However, most organisations are yet to meet 100% PCI DSS compliance, as these standards are rigorous and may appear too big an investment for small businesses. In a recent contact centre compliance by NICE, 99% of respondents admitted that there was room for improvement in their compliance tools and software.  

What is PCI DSS and Why Is It Important?  

The Payment Card Industry Data Security Standard (PCI DSS) is a collection of rules governing how payment data is exchanged and utilised, envisioned by the Payment Card Industry Securities Standards Council and executed by major card providers such as Visa, Mastercard, American Express, Discover, and the Japan Credit Bureau or JCB. Its purpose is to prevent credit card fraud and close security loopholes during transactions that multiply fraud risks.  

In 2021 and beyond, PCI DSS is extremely important for businesses of every size because:  

  • Omni-channel multiplies fraud risk – With customers making transactions on a variety of platforms and channels, a standardised set of rules is necessary to maintain security
  • Data breach numbers are rising – The proliferation of customer data (both public and private) creates a landscape that’s prime for data breaches and customer privacy attacks
  • Businesses now collect more data for personalisation – As transactions are recorded to power customer intelligence and analytics, companies must be careful to not expose card details
  • The geopolitical climate is sensitive – Cybersecurity is now closely linked with national security, and it is imperative to stay compliant in order to prevent more serious attacks
  • Cloud systems add to vulnerabilities – Storing data on the cloud as opposed to restricting it to an on-premise environment has its own downside, making it vital to regulate which data is stored

Amid this high-risk environment, customer demands are continually evolving. But in a bid to provide convenient, flexible, and empowering experiences, companies cannot compromise on the security of payments and business transactions. This is where PCI DSS comes in.  

PCI DSS lays down six clear objectives you must fulfil in order to demonstrate compliance and stay secure: 

  1. Network security – Configure your network landscape in a manner that minimises risk exposure. Implement additional network components, such as a next-generation firewall (NGFW), that can reduce network-related risks
  2. Cardholder data protection – When stored, cardholder data must be secured through mechanisms like encryption and storage should be avoided wherever possible. All data transmissions must be encrypted end-to-end
  3. Vulnerability management program – Contact centres must have a cybersecurity program in place that includes vulnerability management. Deploy tools such as antivirus software, threat intelligence, application security testing, etc regularly
  4. Information security policies – You need a detailed policy document for information security and all personnel have to be trained accordingly. Update your documentation regularly and make PCI DSS training part of the onboarding process
  5. Security testing and monitoring – New vulnerabilities can creep in when you scale your systems, install new applications, update the software, or add new seats. Maintain detailed logs of all transactions, and test the landscape to detect vulnerabilities proactively
  6. Access control – Agent access to cardholder data (during real-time calls, through recordings, or CRM databases) has to be governed by least privilege and zero trust access policies. All-access records must be logged and audited

5 Best Practices for Maintaining PCI DSS Compliance  

As you can see, PCI DSS isn’t a single, specific rule that you can implement in your contact centre. It is an overarching guideline that seeks to regulate the entire ambit of card-based payment transactions, both in your contact centre and your online/offline point of sale. Companies that achieve PCI DSS certification are viewed as highly trusted entities, and this certification is typically necessary if you want to transact with government bodies or operate in a regulated industry like healthcare or financial services.  

Conversely, failure to implement PCI DSS can result in heavy fines even if there is no actual data breach. For example, the Information Commissioner’s Office (ICO) recently fined Ticketmaster UK £1.25 million for lapses in PCI DSS and GDPR compliance, despite the breach having been caused by a third-party application exploit.  

For this reason, it is advisable to stay on the right side of PCI DSS by following these best practices:  

  1. Understand which PCI DSS level you are in and comply on the side of caution 

According to PCI, there are four categories of companies and your compliance burden will vary accordingly. Companies are segmented based on how many transactions they process annually – whether it is less than 20,000, between 20,000 and 1 million, 1-6 million, or 6 million+. For small businesses, a yearly assessment based on a self-assessment questionnaire (SAQ)  along with a quarterly PCI scan of your technology environment will suffice. Larger organisations must undergo an internal audit once a year, led by an authorised PCI auditor. Additionally, they must run a PCI scan by an approved scanning vendor (ASV), every quarter and submit the resulting report 

No matter the size of your business, it is advisable to conduct and document quarterly audits and refresh your certification annually, so that you are always up-to-date with PCI DSS mandates. Large companies can go a step further by appointing a certified PCI professional to their in-house compliance & security team.  

  1. Adopt a prioritised approach 

With so many objectives and a lot of ground to cover, it can be difficult to pinpoint where exactly you should start your PCI DSS compliance efforts. It’s best to take a prioritised approach, tackling the most highrisk and highexposure activities first, before delving into the details. Here is the recommended milestone sequence:  

  • Contain data retention – The most foundational step is to try and contain data collection and retention in the first place. If sensitive data isn’t stored, there’s no risk of it getting exposed. Pay special attention to authentication data like CVC that act as a strong check against card fraud
  • Establish response mechanisms – Even as you strengthen your security capabilities, you also need to prepare for the worst-case scenario. In case a breach does take place, there has to be a clear process flow guiding your response and reporting to the necessary authorities
  • Address app-related vulnerabilities – Today, third-party vulnerabilities count for a sizable portion of attacks and data breaches. That’s why you need to rigorously test your payment applications, even if they come with security certifications
  • Establish network and access controls – Assess and reconfigure your access privileges and network configurations to prevent agents from getting hold of cardholder data unless absolutely necessary. Deploy a strong firewall to close network-related vulnerabilities
  • Conduct security awareness training – Training is your final priority to close any remaining gaps in your security and compliance infrastructure. Training has to be conducted at regular intervals and after any new technology implementation and hiring cycle

This entire process must be carefully documented so that you can demonstrate compliance and obtain PCI DSS certification. You choose to have an authorised PCI auditor present to simplify certification.  

  1. Migrate from legacy technology at the earliest 

Legacy technologies and contact centre systems can be responsible for a lot of the PCI DSS violations that commonly happen, even if you have a strict procedure in place for your agents. For example, traditional systems would entail that an agent manually presses pause-and-resume on the call recording when a customer is entering their card details via DTMF. However, the agent might forget to resume the recording, which means that the call isn’t captured at all, or might press pause at the wrong juncture. A modern contact centre system would automatically pause and resume the recording when sensitive data is being shared or use DTMF masking to suppress cardholder data.  

Fortunately, contact centre providers are joining hands with compliance experts to make PCI DSS a top priority. Recently, Avaya partnered with Semafone to enable a PCI DSS compliant Session Border Controller (SBC) for contact centre environments.  

You can also use speech recognition to automatically detect when cardholder data is being shared and pause the call recording. Speech recognition even enables automated, agentless interactions, further reducing your risk exposure. If you are migrating to a cloud-based contact centre in the next few quarters (which is the case for 62% of contact centres as per Cisco), choose a PI FDSS-certified solution like Bright PatternNICE inContact, etc.  

  1. Make use of PCI-certified auditors 

This is a simple best practice that is frequently overlooked by contact centres in a bid to reduce compliance costs. However, as we mentioned, fines for non-compliance can go up to several million, not to mention irreparable damage to customer trust and market reputation. The three types of certified audit professionals you could engage are:  

  • Qualified security assessor (QSA) – The PCI Council employs certified QSAs who have the sole permission to conduct an onsite evaluation of your PCI DSS compliance efforts. A QSA will check your systems, processes, and documentation against the six objectives we mentioned, and the process can take several weeks to complete. However, large organisations shouldn’t avoid annual audits by a QSA if they are to stay compliant
  • PCI forensic investigators – These are individuals qualified by the PCI Council’s program and report to a QSA company. An investigation exercise is conducted to determine how cardholder data was compromised and what caused the breach. Partnering with PCI forensic investigators is essential to your response capability, which is the second most important priority for PCI DSS compliance as discussed
  • Internal security assessor (ISA) – You could have an in-house security expert obtain ISA qualification by enrolling in a PCI DSS training program. For small, mid-sized, and large organisations that regularly deal with cardholder data, an in-house ISA could save you significantly in long-term audits and compliance costs
  1. Invest in your larger data governance capability 

At the end of the day, PCI DSS compliance is part of your overall data security and governance blueprint – any loophole at the high level will trickle down to impact payment information as well. For example, if your data resides in silos without any centralised visibility or accurate mapping of inter-functional data flows, it will be extremely difficult to trace an exposure back to its root cause. An ongoing vulnerability could also go undetected, resulting in inadvertent non-compliance.  

For this reason, your overall data governance capability – including GDPR, customer data protection, agent data privacy rights, confidential IP, knowledge management, etc. – must be revisited. A centralised data store across the organisation that follows a set of standard protocols, privileges, and benchmarks is recommended. Payment data risk containment has to be formalised as part of your overall data security strategy and not relegated to the contact centre or e-commerce management alone.   

Key Pitfalls to Avoid on Your Journey Towards PCI DSS Compliance  

Despite growing concerns around data security and customer data breaches, it appears that compliance is actually declining. Between 2018 and 2019, compliance with PCI DSS fell from 52.5% to 36.7% globally. This is in line with a steady downward trend from a 55.4% peak in 2016. Importantly, the APAC leads in terms of compliance at 69.6%, compared to 48% in EMEA and just 20.4% in the Americas.  

Going forward, companies must buck this trend by avoiding the following pitfalls:  

  • Placing the onus on individual agents – Automated tools like DTMF masking and PCI-compliant applications are far better at curbing risk than manual efforts
  • Not maintaining sufficient documentation – Every organisational change, security incident, and data access must be recorded to ensure full visibility and transparency. In fact, file integrity monitoring is part of the PCI DSS mandate
  • Deprioritising compliance as it isn’t legally mandated – Several US states have formally made PCI DSS part of their legislation, and UK bodies regularly fine companies for non-compliance

 

 


Join our Weekly Newsletter