Here is a statistic for you; according to the RSA Data Privacy & Security Report, 62 percent of respondents said, “they would blame the company for their lost data in the event of a breach, not the hacker”. That alone should be enough for organizations to take a hard look at data security, above and beyond mere compliance.
We are all aware of the 12 PCI DSS security standards that any entity involved in accepting, transmitting, or storing cardholder data must adhere to. Those standards were jointly developed by Visa, MasterCard, American Express, Discover, and JCB to provide security requirements to combat credit card fraud. While these standards absolutely provide a roadmap for organizations, they should not be confused with cardholder security. Here’s why.
For starters, an organization that is deemed PCI compliant has merely shown that they were compliant at a given date and time. It doesn’t mean that cardholder security is an on-going initiative for that organization. Secondly, some of the PCI DSS standards are a bit out of date. I’m only going to focus on the PCI DSS standards that are specific to contact centers and live-agent payment transactions.
The PCI DSS document, Protecting Telephone-based Payment Card Data was issued in March of 2011. PCI “Participating Organizations” vote each year for two community-driven initiatives, and for 2018 “Protecting Telephone-Based Payments” finally made the list. Many of these participants provide competing products, and it says a lot when a group of competitors come together to work on an initiative that they believe is in the best interest of organizations and consumers. Our approaches may differ, but the end goal is the same….data security.
Since the initial guidance provided in 2011, companies focused on call center technology have continued to innovate, taking telephone-based payment security measures into their own hands. IntraNext, along with our competitors, have invested in modern technology and developed new product platforms to aid organizations in securing cardholder data over and above the existing published PCI DSS standards.
The introduction of DTMF masking is an example of a technologic advancement that should be considered best practice, albeit not an “official” PCI DSS requirement.
Basically, numeric credit card details are entered by the customer via their telephone keypad while remaining on a call with an agent. The agent can see the progress (not the details) of the data entry, but there is no verbal exchange of the data. Have you ever provided your credit card information over the phone and wondered if anyone around you heard it? The power of DTMF masking in live-agent payment transactions is that the sensitive cardholder data is not seen, heard, nor recorded on an agent’s desktop.
Quality monitoring systems are an important part of many call center operations. These recording systems can create challenges for companies to ensure they remain compliant with PCI DSS—purging recordings or initiating “pause and resume” operations are not efficient. By implementing DTMF masking, these challenges are virtually eliminated. If the data is neither seen nor heard during the conversation, call recordings can be captured in full.
Tokenization is another example of a technologic advancement that should be best practice. PCI DSS requires that cardholder data be eliminated, rendered useless, substituted, or secured. Eliminating cardholder data is not feasible for some organizations. How many of us have a card on file for recurring payments? Have you returned something you purchased online and the refund is directed to the card on file? Of course we have! Consumers like convenience. So how does an organization eliminate or render useless a card on file? Tokenization! Tokenization replaces cardholder data with a token that is useless outside of that organization and reduces the number of system components for which PCI DSS requirements apply.
The world of regulatory guidelines is about to get bigger. The General Data Protection Regulation (GDPR) goes into effect May 25, 2018. The GDPR has provisions designed to protect personal data including how data is stored, collected, and transferred. The GDPR applies to companies based in the European Union (EU) or have customers that are EU citizens. The Information Commissioner’s Office (ICO) has multiple resources regarding GDPR including the Guide to the General Data Protection Regulation. Both carry fines for non-compliance.
Compliance and data security are not easy initiatives to define or implement. Incorporating modern technological advancements above and beyond mere compliance can help your contact center achieve your data security and fraud prevention goals.