THE ROLE OF THE CONTACT CENTER IN PCI COMPLIANCE

Transcription

1 THE ROLE OF THE CONTACT CENTER IN PCI COMPLIANCE ENSURING SAFE COMMERCE

2 TABLE OF CONTENTS THE IMPORTANCE OF PCI COMPLIANCE... UNDERSTANDING THE KEY REQUIREMENT... PRIVACY CONTROL: DESIGNS FOR COMPLIANCE... BEYOND THE CALL RECORDING... PROTECT YOUR INVESTMENTS WITH PRIVACY CONTROL

3 THE ROLE OF THE CONTACT CENTER IN PCI COMPLIANCE The contact center is a rich source of valuable data and insight, documenting the voice of the customer through transaction histories, comments, compliments and complaints. Unfortunately, that same data represents an irresistible prize for criminals, who have worked all manner of brute force, social engineering and Internet attacks in an attempt to exploit vulnerabilities and appropriate sensitive financial information. Recent developments in financial data security standards handed down and ultimately enforced by credit card network processors have turned a keen eye on the contact center. Call and transaction recording systems dutifully storing the verbatim details of payment card transactions represent a potentially rich vein of illicit account information for thieves, and the payment card industry has responded in clear terms. Storing payment card data, even in encrypted form, is expressly forbidden by the Payment Card Industry Data Security Standard (PCI DSS). The rules set forth by the world s top five payment brands are simple, yet far reaching. Virtually every merchant must be able to show, through audit or self-certification, that they comply with fundamental requirements when processing and /or storing sensitive credit card information. That includes card account numbers, expiration dates and security codes. Databases, transaction histories, logs and trace files are all covered by this requirement, and that includes audio recordings and agent screen playbacks. Considering the highprofile thefts of literally millions of payment card profiles at a time in recent years, the concern is well founded. Yet despite their laudable intentions, the payment card industry rules place contact center leaders in an awkward position. Contact centers have embraced comprehensive interaction recording as front-line protection against liability, loss and regulatory action. Clearly, the recording of transactions must continue. Yet the payment card industry states that some of the most vital payload of a transaction the payment card validation code information must not be recorded. Navigating this delicate tightrope is possible, with the support of an interaction recording partner which understands both the needs of the contact center and the demands of the financial sector. Successfully mastering PCI DSS requirements will both preserve transaction vendor peace, and lower overall enterprise risk and exposure to fraud and data theft. 3

4 THE IMPORTANCE OF PCI COMPLIANCE Understanding the reach and scope of these regulations, and ultimately how to successfully achieve transparent compliance, requires understanding the body that created them. The PCI Security Standards Council is led by the companies backing the biggest credit card payment brands in the world: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Through the PCI Council, these financial giants describe and disseminate the rules, regulations and standards they believe are necessary to safeguard sensitive card and cardholder data while still enabling merchants and service providers to transparently transact with customers. Although the PCI Council itself does not enforce compliance with its rules, its member organizations expect and require that PCI standards be followed. The card networks are not pulling punches. One even actively solicits businesses to inform on their noncompliant vendors and trading partners. In short, if your company is not in compliance with PCI-issued rules, you risk being cut off from the world s most popular consumer and small business payment brands. That is an intolerable risk in any industry, in any economy. UNDERSTANDING THE KEY REQUIREMENT PCI Data Security Standard (DSS) Requirement 3.2 states, Do not store sensitive authentication data after authorization (even if encrypted). Although many of the practices, guidelines and mandates of the PCI Council promote security and trustworthiness in the contact center, the most crucial and complex is the PCI Data Security Standard (DSS) Requirement 3.2. It states, simply, Do not store sensitive authentication data after authorization (even if encrypted). The rule goes on to explain the specifics, but the theme is the same:payment card issuers do not want their card account data stored by merchants. Not even with commercial-grade encryption. The PCI Council has gone on the record clarifying that it considers interaction capturing solutions to be a storage medium covered by this requirement. Because interaction capture solutions are designed to be thorough, a sophisticated approach is needed to maintain reliable records of customer interactions without running afoul of the payment processors that power so many billions of dollars in commerce. Early attempts at designing compliance have fallen short of meeting PCI DSS specifications because they do not address the core problem. Some contact centers have chosen to use secondary IVR-based solutions which collect credit card information before passing the customer back to a live agent. That approach is extremely inconvenient for both the contact center and customer since it simply pushes the interaction recording problem off to another system. And let s not forget that transaction data logs as well as live interactions are covered by the PCI DSS requirement. Other limited workarounds include masking the offending data upon playback. Although laudable as a way to keep employees or unauthorized users from being able to glean payment card data from recorded interactions, the masking approach still falls short of PCI DSS requirements. The data is still present in the recording, and that is not permitted. A more sophisticated approach is required, one which can completely eliminate the need for agent compliance or goodwill, and integrates with existing contact center practices. 4

5 PRIVACY CONTROL: DESIGNS FOR COMPLIANCE Designing a truly PCI DSS compliant solution while preserving the value of interaction recording requires deep insight and careful design. A compliance-minded partner will be able to deliver not only a reliable and sophisticated recording platform, but also bring to bear the insights and training of engineers and implementers with a deep understanding of PCI DSS best practices. Only that combination can produce true Privacy Control, embedded into a powerful interaction recording solution, that protects corporate alliances as well as contact center effectiveness. At the heart of the Privacy Control approach is the capability to selectively suspend and resume recording during sensitive data exchanges. With these pause controls, only data compliant with PCI DSS standards will ever reach the recording vaults. Through on-screen prompts and controls, agents can be cued to manually pause recording as they enter the transaction processing stage, then resume when the data is committed. Because agent training and compliance can threaten the success of a Privacy Control approach, an automated approach to pauseand-resume is preferred. Advanced Privacy Control capabilities can be integrated with existing contact recording solutions and hook into a wide variety of common CRM and transactional applications. The automation is triggered by agent screen activity. When the agent selects fields related to sensitive data banned from storage by PCI DSS, Privacy Controls automatically engage and pause recording. After the agent leaves the sensitive field (such as a credit card number or CVV code), recording immediately resumes. Automation preserves the bulk of the interaction but omits payment card information, making it safe to store and retrieve indefinitely, subject to existing access rules. It also eliminates risks and potential abuse associated with giving contact center agents discretionary, manual control over their own recording, and is the surest way to bring a recording system in line with PCI DSS Requirement 3.2. BEYOND THE CALL RECORDING Protecting customer data requires more than simply omitting sensitive data from a permanent record. A qualified contact center compliance partner will provide all the tools and insights to guide a complete evaluation of the infrastructure involved in the transaction process. Security audits of both the network and individual payment processing applications are just as important as the safety of the interaction recording system. Agent desktops are a frequent source of potential leaks and exploits. From on-disk caches to legacy or homegrown applications which have fallen behind the data security curve, the agent environment must be rigorously evaluated and tested to ensure and maintain compliance. At the heart of the Privacy Control approach is the capability to selectively suspend and resume recording during sensitive data exchanges. 5

6 PROTECT YOUR INVESTMENTS WITH PRIVACY CONTROL Without the mutual trust of both customers and payment card networks, merchants can find themselves stranded. Earning and maintaining that trust in the contact center starts with a careful PCI DSS compliance strategy, and an interaction recording solution that is designed with those requirements and responsibilities clearly in mind. Strong partners are ready to deliver solutions that preserve visibility into all contact center interactions, while closing security holes and preserving good relations with the payment card industry. Few interaction recording vendors today can deliver a solution that can be adapted to the latest PCI DSS standards without a rip-andreplace project. Fewer still offer the flexible APIs necessary to integrate with heterogeneous CRM and transaction application to ensure seamless, automated Privacy Control. Fortunately, those capable partners are out there, and ready to deliver solutions that preserve visibility into all contact center interactions while closing security holes and preserving good relations with the payment card industry. CONTACTS Global International HQ, Israel, T , F Americas, North America, T , F EMEA, Europe & Middle East, T , F Asia Pacific, Singapore Office T , F The full list of NICE marks are the trademarks or registered trademarks of Nice Systems Ltd. For the full list of NICE trademarks, visit All other marks used are the property of their respective proprietors. DATE 12/2014 WP CONTENTS OF THIS DOCUMENT ARE COPYRIGHT ABOUT NICE SYSTEMS INC. NICE Systems (NASDAQ: NICE), is the worldwide leader of intent-based solutions that capture and analyze interactions and transactions, realize intent, and extract and leverage insights to deliver impact in real time. Driven by cross-channel and multi-sensor analytics, NICE solutions enable organizations to improve business performance, increase operational efficiency, prevent financial crime, ensure compliance, and enhance safety and security. NICE serves over 25,000 organizations in the enterprise and security sectors, representing a variety of sizes and industries in more than 150 countries, and including over 80 of the Fortune 100 companies.