Contact Centre Security
Contact centre securityA guide to PCI DSS compliancein call and contact centresAn insights paper01
Contact centre securityA guide to PCI DSS compliance in call and contact centresWill call centres ever look the same again?Reach out to our PCI DSS expertThe objective of the Payment Card Industry Data Security Standard(PCI DSS) is to provide a consistent baseline of security controlsacross all entities that store, process or transmit cardholder data.The standard applies to any organization which interacts with orcould impact the security of cardholder data.John HethertonGlobal Practice Lead,PCI DSSIn this insights paper, we will focus on PCI DSS compliance from theperspective of contact centres as these will often be at the heart ofan organization’s customer interaction and payment handling. Inour experience, where cardholder data is typically processed inthese environments, it can add significant levels of complexity andeffort for the organization trying to achieve PCI DSS compliance.This complexity combined with the current working from homescenario, means that the situation is even further complicated,and the question has to be asked, will call centres ever look thesame again?John is an experienced information security, risk, andcompliance advisor with more than 10 years’ experience ininformation security. John has been a PCI Certified QSAsince 2013 and has conducted many Level 1 PCI DSS auditsas well as assisted numerous organizations to de-risk theircard holder data environments, in both proactive and postbreach scenarios.Get in touchLearn more about our PCI DSS consultancy servicesThis paper will consider two scenarios – internal contact centre andthe agent working from home scenario. For each scenario thefollowing will be considered:1.The internal contact centre scenario2.The agent working from home scenarioScenario cationsSolutions02
ComplexityOur approachHandling cardholder data (CHD) over a telephony networkhas three main challenges from an information securityand compliance perspective:BSI work with and validate compliance for many BusinessProcess Outsourcers (BPOs) across the globe, as well aslarge organizations who utilise internal contact centres forpayment processing. These often facilitate bookings,purchasing a service or product, handling chargebacks,or first line support which may involve real timepayment handling.1. Risk of internal fraud from employeeshandling card data2. Risk of exponential PCI DSS scope creepwhere cardholder data is transmitted over thetelephony-network3. Managing legacy call recordings which mayinclude sensitive data stored in clear textIn 2020 and into 2021 the COVID-19 pandemic has causedsignificant challenges in this space, but also presents anopportunity for contact centres. We will delve into thespecific challenges and opportunities later in thisdocument, but let us take a moment to acknowledge whatthe PCI council has to says on the topic of scoping:“Accepting spoken or unmasked account data over thetelephone puts personnel, the technology used, and theinfrastructure to which that technology is connected, inscope for PCI DSS.” – Payment Card Industry SecurityStandards Council (PCI SSC).Our consultants have an acute understanding of thecomplexities of certifying contact centres to a Level 1 PCIDSS compliant standard and importantly how compliancecan be achieved in a manner which facilitates frictionlesspayment processing with high levels of security andcompliance. Throughout this paper, you will see insightsinto different processing scenarios and understand a QSAsperspective to how best to meet compliance obligations.Controls are suggested for consideration where users areworking on shared home networks.These are the types of controls that should be considered ina compensating control scenario and will facilitate beneficialdialogue with your QSA and acquiring bank, should theyquery the controls surrounding the people, processes andtechnologies currently used to process cardholder data.There are several use cases where PCI comes into scopefor a contact centre environment. In this article we willdiscuss the typical challenges, thought processes andsolutions a business will consider when PCI DSS entersthe conversation.“ Accepting spoken or unmasked accountdata over the telephone puts personnel,the technology used, and the infrastructureto which that technology is connected,in scope for PCI DSS.”Payment Card Industry Security Standards Council (PCI SSC)Contact centre security: A guide to PCI DSS compliance in call and contact centresCall: 1 800 862 4977 (US) / 44 345 222 1711 (UK) / 353 1 210 1711 (EMEA)Email: cyber@bsigroup.com03
Scenario 1Internal contact centreThe following use case and diagram depicts a typical call centrescenario that could be applied to paying a bill or purchasinggoods or services.Use Case DescriptionInternetConsumer/Cardholder15bThe customer is connected to the agent andcall recording has started, as part of thedialogue when asked they provide their accountdata to the agent.Step 2The spoken account data enters the telephoneenvironment via the telephone switch.Step 3The account data is transmitted by the entitiesvoice and network to the agent.Step 4The agent inputs the account data into theirdesktop PC via the keyboard.Step 5Customer data is entered into the customerrelationship management system (CRM) whereit is processed (assume no CHD stored).Step 5aThe account data is transmitted to the PaymentService Provider (PSP) or acquirer. For example,this may occur via data input into anapplication on the agent’s desktop, via a virtualterminal accessed hosted by the PSP oracquirer over a secure internet connection fromthe agent’s desktop, or via a physical point ofinteraction (POI) payment terminal.Step 5bThe PSP processes and potentially stores CardHolder Data (CHD) and returns a paymentvalidation reference to the agent desktop orpayment terminal.Step 6The interaction is recorded on the reportingserver.Step 7The call-recording equipment attached to thenetwork captures the account data, and theaccount data is stored in call recording storage.Call recording ceases. It is indexed and stored.As this point, call data can be honeSwitchStep 15a3Finance/HROther764CallRecorder & Reporing CustomerServerDatabaseStorage5Telephone TelephoneAgent & Agent &DektopDektopLegendOut of PCI DSS ScopeIn PCI DSS ScopeService ProviderEntitySource: PCI Security Standards – Protecting Telephone Based Payment Card DataContactPCICompliancecentre security:in the contactA guidecentre:to PCIHowDSS tocomplianceapproach incompliancecall and contactin the contactcentres centreCall: 1 800 862 4977 (US) / 44 345 222 1711 (UK) / 353 1 210 1711 (EMEA)Email: cyber@bsigroup.com04
Compliance driversSolutionsWhere the organization must continue to offer a telephonybased payment channel the following options to reducescope exist:Data breach1.aAcquirer mandatedcomplianceClient drivenrequirementInternally drivenprojectTypicalattestationLeverage a cloud-based PCI DSS compliantDual Tone Multi Frequency (DTMF) maskingsolution to proxy and remove card datafrom the call centre environment.SAQ – ALegacy call recordings will need to bedeleted from the environment or masked /redacted.1.bChallengesBased on the way this network is set up, the PCI DSS scopeis extensive, and when the organization operates a flatnetwork structure, it would include all people, processesand technology on that connected flat network.Where DTMF is not an option, (often withSAQ – DBPOs) considerations should be given toreduce the number of systems in scope bysegmenting systems connected to thosewhich directly store process or transmitcardholder data. Systems will still be inscope for SAQ D, but applicable to a smallerfootprint, reducing the overall complianceeffort.An internally managed, dedicated andsegmented internal IVR solution may alsoprovide an option for a reduced scope.ImplicationsHaving the entire network in scope for PCI DSS compliancecan introduce a significant overhead in terms of people,time, and financial resources required to implement andmaintain compliance on an ongoing basis. Depending onvolume of transactions, either Self-AssessmentQuestionnaire D (SAQ D) or a Report on Compliance (ROC)would be applicable to the entire environment.Scope reduction optionsLegacy call recordings will need to bedeleted from the environment or masked /redacted.1.cUse a system which allows call centre agents SAQ - Ato generate one-time payment links to besent to a customer’s smart phone. This issuitable typically for small business, lowvolume transactions.Legacy call recordings will need to be deletedfrom the environment or masked / redacted.05
Scenario 2Agents working from home and processingcardholder dataA call centre agent working from home, using a corporatemanaged end point and softphone, over VPN, to processcardholder data.Use Case rviceProviderCarrierNetworkStep 1The customer is connected to the agent and callrecording has started, as part of the dialogue whenasked they provide their account data to the agent.Step 2The spoken account data enters the telephoneenvironment via the telephone switch.Step 3The account data is transmitted by the entitiesvoice and network to the agent via a softphoneapplication on the corporate managed end point.2TelephoneSwitchThe agent’s end point is connected to their localWiFi Router and Network.5a3Finance/HROther765Step 4The agent inputs the account data into their endpoint via the keyboard, which is transmitted overthe VPN to the corporate network.Step 5Customer data is entered into the customerrelationship management system (CRM) where it isprocessed, not stored.Step 5aThe account data is transmitted to the PaymentService Provider (PSP) or acquirer. For example, thismay occur via data input into an application on theagents desktop, via a virtual terminal hosted by thePSP or acquirer over a secure internet connectionfrom the agent’s desktop.Step 5bThe PSP processes and potentially stores CardHolder Data (CHD) and returns a payment validationreference to the agent desktop or paymentterminal.Step 6The interaction is recorded on the reporting server.Step 7The call-recording equipment attached to thenetwork captures the account data, and theaccount data is stored in call recording storage.Call recording ceases. It is indexed and stored.As this point, call data can be queried.HomeNetworkVPNCallRecorder & Reporing CustomerServerDatabaseStorage4Remote Agent/Home WorkerLegendOut of PCI DSS ScopeIn PCI DSS ScopeService ProviderEntitySource: PCI Security Standards – Protecting Telephone Based Payment Card DataContact centre security: A guide to PCI DSS compliance in call and contact centresCall: 1 800 862 4977 (US) / 44 345 222 1711 (UK) / 353 1 210 1711 (EMEA)Email: cyber@bsigroup.com06
Compliance driversSolutionsWhere the organization must continue to offer a telephony-basedpayment channel the following options to reduce scope exist:Acquirer mandatedcomplianceClient drivenrequirementScope reduction options1.aLeverage a cloud-based PCI DSS compliant DTMFSAQ – Amasking solution to proxy and remove card datafrom the call centre environment. This can descopethe environment, but legacy call recording whichinclude clear text account data will need to beremoved if they exist.1.bWhere DTMF is not an option, (Often with BPOs)considerations should be given to reduce the numberof systems in scope by segmenting systemsconnected to those which directly store process ortransmit cardholder data.Internally drivenprojectData breachTypicalSAQ – DThe path of least resistance in this scenario is toprovide the user with a dedicated service / device toaccess the internet, removing their home networkfrom scope.The following should be considered in addition to thepreviously mentioned items in Scenario 1.ChallengesWe have a further complicated scenario when staff areworking from home and connecting through their localnetwork as the end point is part of the CDE (directlyprocessing account data) thus systems connected to theend point are also in scope. That means the users homenetwork and devices on the same LAN are in scope.ImplicationsIt becomes very difficult (almost impossible) to accuratelyscope the environment, and further to makenon-corporate managed devices PCI DSS compliant.As well as all the existing PCI DSS requirementsapplicable, this would include providing agents with apre-configured, secure and compliant router/firewall /or dedicated SIM enabled internet connectionmanaged by the entity which will only allowconnectivity via the corporate managed VPN, thusremoving their local network from scope.Implementing a policy and awareness plan to stronglyunderscore the organizations “Acceptable card datahandling” requirements, which will cover many areasincluding prohibiting writing down, recording or otherstorage of account data, working in a secure area,secure storage of organizational equipment.Conducting an internal risk assessment to coverthreats, vulnerabilities, likelihood and impactsassociated with an increased level of exposure to carddata theft / Fraud due to staff now working fromhome. Some additional risk mitigations that shouldbe considered in the assessment are included in theControls Section overleaf.“ Once the risk is appropriately managed andcompliance can be demonstrated to PCI DSS,there is no reason that contact centre staffworking from home, should introduce a barrierto compliance going forward, giving greaterflexibility to organization in the deploymentof resources.”John Hetherton, Global Practice Lead - PCI DSS, BSIContact centre security: A guide to PCI DSS compliance in call and contact centresCall: 1 800 862 4977 (US) / 44 345 222 1711 (UK) / 353 1 210 1711 (EMEA)Email: cyber@bsigroup.com07
ControlsPeopleAwareness (phishing &operating remotely)Limit number ofpeople takingpaymentsBackgroundchecksPolicy, Procedure,ProcessCard handling AcceptableUse Policy and AwarenessCampaignTechnicalCorporate issuedhead-setsMFA to localdeviceDeviceencryptionDedicated router /switch managed bythe organizationprovided to gainaccess to the networkLocal FirewallData LossPrevention controlReducedTimebound End toEnd VPN / SSLTunnelWorking From HomeRisk AssessmentRemote NetworkConfigurationStandardsWithin the limits of locallegislation includecontractual provision toconduct remote siteinspectionIn addition to thestandard PCIcontrols08
How can BSI help?BSI is a certified Qualified Security Assessor (QSA). In addition toproviding senior resources to validate and attest compliance toPCI DSS, BSI can provide support in the development ofappropriate risk assessments, mitigations, secure solutiondesigns and awareness content to ensure that the end-to-endapproach adopts a defensible and robust approach to maintainingPCI DSS compliance in a work from home scenario.Our PCI DSS consultancy services: Solution Design Workshop PCI DSS scope determination and scope reductionservices PCI DSS gap analysis and prioritized action planning PCI DSS Implementation Support and PCI SelfAssessment Questionnaire (SAQ)About PCIOrganizations that store, process or transmit payment cardinformation are mandated by VISA, MasterCard and the other majorparticipating card brands to meet the security requirements includedin the Payment Card Industry Data Security Standard (PCI DSS).Compliance requirements are typically drive from acquiring banksfor Merchants, and by Clients for Services Providers.The level at which and types of attestations which merchants andservice providers must attest are driven by the number of cardnumbers they see per annuum and way they process the data.With our team of security experts and certified PCI QSAs, BSIhelps ensuring that PCI compliance requirements areimplemented into your organization effectively. We provideconsultancy services from the very early stage of the complianceroadmap (for instance defining the scope of the requirements) tovalidating them with a formal PCI Assessment, penetrationtesting and issuing the Attestation of Compliance. PCI DSS Report on Compliance (ROC) audit P2PE implementation assessments Penetration testing and vulnerability scanning services ASV ScanningGet in touchSpeak to us about how we can help you support your PCI DSSrequirements.Contact us directlyLearn more about our PCI DSS consultancy servicesDisclaimerBSI is an accredited Certification Body for Management System Certification andProduct certification. No BSI Group company may provide management systemconsultancy or product consultancy that could be in breach of accreditationrequirements. Clients who have received any form of management system consultancyor product consultancy from any BSI Group company are unable to have BSIcertification services within a 2 year period following completion of consultancy.Your PCI journey with BSIPCI WorkshopScope andSolution DesignGap AnalysisPCI WorkshopScope andSolution DesignImplicationsPre Audit Check/Health checkVerificationAudit/SAQ09
Protect your information,people and reputation with BSIExpertise lies at the heart of what we do.As trusted advisors of best practice, weempower you to keep your business safethrough a diverse portfolio of informationsecurity solutions. Whether it’s certification,product testing, or consultancy services ortraining and qualifying your people, we’llhelp you achieve your security goals.Our Cybersecurity and Information ResilienceServices include:SecurityawarenPhishing simulationsDigital forensicsLegal techa ti oData protection (GDPR)nmanData subject requests(DSARs) supportagemDPO as a serviceentandp ri vacyFind out moreEMEAUKCall: 353 1 210 1711 44 345 222 1711Email: cyber.ie@bsigroup.com cyber@bsigroup.comVisit: bsigroup.com/cyber-ie bsigroup.com/cyber-ukUS 1 800 862 cribe to our newsletterFollow us onOnsite and bespoke coursesOnline interactive solutionsPCI DSS, NIST frameworkISO/IEC 27001, SOC 2ic e sInfor meDiscovery/eDisclosureCertified informationsecurity coursesAccredited Cyber Lab(CAS, CPA, CTAS)ervVirtual CISOThird party security/risk assessmentSocial engineeringData protection assessmentInternet of Things (IoT)GDPR verificationpComysPenetration testing/Red teamingorIncident managementvisCybersecuriEnd user awarenessVulnerability managementginintrandsaessicevrsety Cloud security solutionsli aencad
As this point, call data can be queried. PCI Compliance in the contact centre: How to approach compliance in the contact centre Call: 1 800 862 4977 (US) / 44 345 222 1711 (UK) / 353 1 210 1711 (EMEA) Email: cyber@bsigroup.com Contact centre security: A guide to PCI DSS compliance in call and contact centres
3 4 Execuive Summary 6 PCI DSS Background 8 PCI DSS - What's Involved 10 Two Ways to Eliminate the Need for Customer Card Data 13 The Challenge for the Contact Centre 14 How Semafone Removes Card Data from the Contact Centre 15 Removing Card Data from Call Recordings 16 Reducing the Scope of PCI DSS Audits for the Contact Centre 19 The Cost of Compliance
culling using acceleration structures. Contact generation Pipeline overview A single contact point Contact clipping . DEMO!!! Contact generation Pipeline overview A single contact point Contact clipping Multiple contact points using perturbation Persistent contact caching
BASPINAL@SHAW.CA (Office Email) Contact Info Contact Info Contact Info Contact Info Contact Info Contact Info Contact Info Contact Info 8 JAG-2013-02024 s.22. FIGR0171 2013-12-04 10:55 AM Business Licences Expiring Between 2013-Dec-
Albury Independent Schools Trades Skills Centre NSW Independent Yes . Marist College Canberra Trades Skills Centre ACT Independent No Mary MacKillop Hospitality Trades Skills Centre VIC Catholic No Maryborough Education Centre Trades Skills Centre VIC Government No
UNIDO Regional Office, Nigeria March 2016. . Training centre R&D centre Centre of excellence Procurement centre Auction centre Information centre . Housing Recreation Health care Shopping Basic infrastructure Power Roads Sewerage Water supply Gas Drainage Telecom Street lighti
Centre Pompidou-Málaga welcomed more than 500,000 visitors during two and a half years, in a city of 600,000 inhabitants Kanal-Centre Pompidou welcomed more than 60,000 visitors during its first month Centre POMPiDOu-MáLAgA AnD KAnAL-Centre POMPiDOu in BruSSeLS PrOViDe An exAMPLe Of the ArrAy Of exPertiSe Centre POMPiDOu CAn DeLiVer
Queensland Performing Arts Centre The Queensland Performing Arts Centre (Centre), located within the Queensland Cultural Centre of South Bank, Brisbane is managed by the Queensland Performing Arts Trust (QPAC). As Queensland's state performing arts centre, QPAC's core mandate is to contribute to the cultural, social and intellectual
Part 4 Authorized Inspection (ASME) . The 2019 Edition of NB-263, RCI-1 Rules for Commissioned Inspectors replaces the 2017 Edition. RCI-1 is arranged into Parts, as listed below: Part 1 – National Board Commissions and Endorsements Part 2 – National Board Commission and Endorsement Examinations Part 3 – Inservice Inspection Part 4 – Authorized Inspection (ASME .
