Inside New PCI GuidancePCI Council on Protecting Stored Digital Card Data
Jeremy King, European regional director for the PCI Security Standards Council, which authored the supplement, "Protecting Telephone-Based Payment Card Data Information," says service providers need to follow the rule-of-thumb of "If you don't need it, don't store it."
Call centers are caught in a strange position where "on the one hand, they're required by local law to record the data and keep that data stored, but on the other hand, they don't want to include the credit card or the sensitive authentication data," King says in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below].
The new guidance focuses on ensuring that the primary account numbers and other sensitive data aren't stored. The Council also offers recommendations about sensitive data in order to prevent it from being open to potential fraud.
Service providers are already encrypting data, which is a good method, King says. But that's not very good if the key to decrypt the data is within the organization. "The safest bet is to eliminate the data," King says.
A combination of awareness and technology will aid in the security of sensitive data at call centers.
During this interview, King discusses:
- Key points from the guidance for complying with the PCI Data Security Standard;
- Why the storage of card data collected by call centers and other telephone-based systems is a concern;
- Steps the payments industry is taking to balance compliance with local laws.
King is the European regional director for the PCI Security Standards Council, leading the SSC's efforts to increase adoption and awareness of PCI security standards in Europe. King's responsibilities include gathering feedback from the merchant and vendor community, coordinating research and analysis of PCI SCC managed standards in European markets, and driving educational efforts and council membership through involvement in local and regional events. He also serves as a resource for approved scanning vendors and qualified security assessors. Before joining the council, King was the vice president of the Payment System Integrity Group at MasterCard Worldwide, where he played an integral role in developing payment terminal and chip-card security programs. He also spent more than 14 years working in the United Kingdom semiconductor industry and has a strong background in emerging technologies, including contactless cards, encryption and mobile payments.
PCI-DSS GuidanceTRACY KITTEN: The PCI Council released supplemental guidance to assist merchants and service providers with meeting PCI-DSS requirements for securing payment data that's captured within voice recordings. Why did the council feel this was an area that needed attention?
JEREMY KING: I think this was really for two key reasons. The first reason was feedback. In almost everything that the council does, we always talk about feedback and receiving feedback from those involved in the industry. This is a prime example of good feedback coming from the industry via the merchants involved, from the acquirers and the board of advisers, especially Barclays in the U.K., who reached out to us and said this is an area where we actually needed to provide some more guidance and information for this sector.
Secondly, it's one of those areas which is being targeted by the criminals for fraud, so we felt that this was something we needed to do, something that we needed to look at. We think this is a great example of how we're making sure our stakeholders have what they need to understand and implement these standards, the PCI-DSS standard, in their organization.
KITTEN: Now for the purpose of this supplement, how does the council define data captured within voice recordings, and what industries beyond financial might this supplemental guidance impact?
KING: Firstly, with all transactions, we have a standard saying of if you don't need it, don't store it. That applies in this sector as well. Look at it a little bit more closely. The voice recordings, these tend to be when people are ringing up and ordering things. It's what we classify as the card-not-present transaction. Therefore, often it relates to the primary account number, the large 15-16-digit code that's across the card, and usually an additional CVC or CVV code to actually verify that it is the cardholder. This is sensitive authentication data that really needs to be looked after. And like I say, if you don't need it, don't store it.
Call Center Risks, Prevention MethodsKITTEN: Now you've mentioned, Jeremy, if you don't need it, don't store it. I think that ties in well with a lot of the standards that the industry has been complying with as of late. Along with face-to-face and e-commerce payments, PCI standards apply to call centers too, where credit or debit card information is processed over the phone, as you've mentioned, and may be recorded and stored, which exposes the cardholder data to potential risk, as you've also noted. Do you think most merchants and industries, for that matter, are aware of their need for compliance with PCI when it comes to call center communications? And it sounds like, from what you've said, they do.
KING: Yes, there's definitely a growing awareness that call centers are "in scope" with the PCI data security standard, and that they're receiving significant quantities - not huge volumes of calls - which include the credit card data. But quite often, they're sort of caught in this strange position where, on the one hand, they're required by local law to record the data and keep that data stored, but on the other hand, they don't want to include the credit card or the sensitive authentication data. It's this sort of strange juxtaposition that they're trying to seek this additional guidance on, and this is really where the new guidance document will help them. It provides them guidance on how to go about ensuring that the actual primary account number and the other sensitive data aren't stored. Or if it's stored, it's stored for as short a time as possible. This is providing great guidance to the industry.
KITTEN: How prevalent is the storage of cardholder data that's collected via call centers or voice systems?
KING: It's the standard practice. It's business as usual for them, unfortunately, and what we aim to do is provide specific recommendations about this data so it prevents them from being open to potential fraud. And as I've said, card-not-present fraud is one of those areas of fraud which is stubbornly high around the world.
KITTEN: Is the standard practice right now to encrypt this data if it's stored?
KING: Encrypting data is a very good method of ensuring that it's not accessible to the criminals. But obviously encrypting the data in itself isn't good enough if you've also got the key within your organization that can decrypt it. You have to be careful about how you go about encrypting it, and you have to make sure that it's secure. Really the safest bet is to eliminate the data. If you can't eliminate it and you can't encrypt it securely, then render it unreadable.
Call Center Security ChallengesKITTEN: Now you've noted that you do see fraudsters targeting this type of information when it's stored and collected at call centers. What unique challenges do call centers face when it comes to security? Beyond the recorded details that are stored, of course, we have the human element with call centers or customer service representatives taking and collecting card details from consumers, which to me seems to pose its own unique challenges. Would you agree? And what, if anything, is the council recommending for the human element?
KING: I think this gets right to the heart of the security practice. It takes a combination of both the people and the processes and technology, especially in call centers, to make an organization secure. Therefore, training the workforce is one of those key factors, so that the people who are receiving these calls fully understand the implication of what it means when they're listening in, receiving or writing down any credit card data. If they're sitting there receiving a call, and the person says their credit card number and they write that down or they enter it into their system, then that's storing sensitive authentication data. If they then pass that on to their supervisor or it goes into other systems, you can see how very quickly, for a call center, there's a huge impact on all of their systems where card data is. Having good training of the workforce ensures that people are aware of the impact of what they're doing so they can become better trained and better aware to ensure that they're not leaving their organization open to card fraud.
KITTEN: The supplement that will be issued today is called "Protecting Telephone-Based Payment Card Data Information." It's touted by the council as providing actionable recommendations to merchants and service providers for securing and processing payment card data over the telephone. What are some of those actionable items?
KING: We've included an explanation of how PCI-DSS applies to cardholder data stored in call recording systems, recommendations for merchants when assessing risk in applicable controls of call center operations and specific guidance for addressing sensitive authentication. This includes suggested methods for how we render the data unavailable under query, and being certain that the PAN is masked when it's displayed on the call center operative's display. There's so much more than that that we could go into, so it's really best that the listeners go onto the council's website and download the actual guidance there, because then they'll be able to see all of the specific guidance notes that we've included.
KITTEN: Finally, before we close, could you offer our audience some recommendations or final thoughts about how the guidance might be applied to their call center operations?
KING: Merchants or service providers can use this document to better understand the PCI-DSS requirements of voice recordings and how to address them within their call center operations to process payment cards much more securely. If you take it seriously and if you follow the guidance, then you can make your call center much more secure and you can significantly reduce the risk of your call center being targeted for fraud.