PCI & the Contact Centre The Acquirer Perspective

Transcription

1 PCI & the Contact Centre The Acquirer Perspective 17 September2014 Michael Christodoulides

2 Personal Introduction Telephony Contact Centres are integral to the security of the payment card industry ecosystem. Your speaker today, Michael Christodoulides: Is a member of Barclaycards award winning Payment Security Team A PCI SSC certified Internal Security Assessor Team and Payment Card Industry Professional Specialises in the areas of governance, risk management and compliance Page 2

3 Agenda SAD? PAN? or both? Account Data Toxicity PCI DSS V3.0: Impact to 3rd Parties and Merchants A way forward - choices Further information Questions and Answers Page 3

4 SAD? PAN? Or both? SAD - Not permitted to store sensitive authentication data after authorisation PAN - Must protect primary account numbers The PCI SSC write The primary account number is the defining factor for cardholder data. If cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the cardholder data environment, they must be protected in accordance with applicable PCI DSS requirements. Page 4

5 Account Data a Reminder Cardholder Data includes: Primary Account Number (PAN) Cardholder Name Expiration Date Service Code Account Data Sensitive Authentication Data includes: Full track data (magnetic-stripe data or equivalent on a chip) CAV2/CVC2/CVV2/CID PINs/PIN blocks Source PCI DSS V3.0 Page 5

6 Toxicity PANs are Toxic because: They have criminal value and in the wrong hands undermine consumer trust in the security of brands at which the consumer shops. SAD are Toxic because: They have a criminal value and in the wrong hands undermine consumer trust in the security of brands at which the consumer shops and also impacts upon the integrity of the payment system. Contact Centres will want to reduce their payment security risk. Page 6

7 A way forward Investigate and Plan Determine your appetite to risk, governance and payment card security Identify your flows of cardholder data and sensitive account data Determine the controls in place to protect cardholder data where stored Determine the controls in place to securely delete sensitive authentication data after authorisation If all is not well: Plan your remediation Page 7

8 A way forward - Choices Take PANs and SAD out of your systems and negate the need to store PANs Or Apply the full range of controls described in the PCI DSS to correctly protect cardholder data and securely remove sensitive authentication data I know which option I would prefer to take but I m not your business case! Page 8

9 Due diligence when selecting a 3rd Party Contact Centre So, from a PCI DSS perspective, how do you select a Service Provider/Third Party Contact Centre? First port of call should be the lists run by the Schemes e.g. the Visa Merchant Agent list or the MasterCard Service Provider list. and But if your preferred supplier is not on these lists then what do you do? Obtain their Report on Compliance and undertake your due diligence to ensure the services you will be commissioning are in the scope of their assessment. No RoC? Then obtain their SAQ and verify, best to ensure the SAQ is verified by a QSA! No SAQ? Then undertake your own due diligence to ensure they can manage your payment cardholder data securely. Encourage (i.e. instruct) your preferred service provider to join the Scheme lists, where it is appropriate to do so. Page 9

10 What to ask your call centre provider How does the call centre system help you comply with the PCI DSS guidelines and how does it automatically remove sensitive credit card information from recorded calls? How will the call centre system comply with any future changes in legal regulations or codes of practice? If your call centre system is not compliant with the standard, what liability is your supplier prepared to take in the event of a data compromise due to vulnerabilities on their system? Page 10

11 Who is responsible for what it depends, its your business The Merchant is always responsible for securely managing the payment card data that is entrusted to them by their customers. The Merchant might decide to delegate operations to 3 rd parties and if these operational functions involve storing, processing or transmitting cardholder data or have an impact on the security of cardholder data then the Merchant should also ensure that payment card security continues to be managed correctly. In the event of a data security breaches it is always the Merchant who has the responsibility to close the breach, ensure remediation takes place and pay any fines imposed due to incurring the data security breach. The costs of selecting the wrong third party quickly mount when things go wrong. Page 11

12 PCI DSS V3.0: Impact to 3rd Parties and Merchants PCI DSS V3.0 recognises that the PCI DSS payment card security relationships between the Merchant and the Third Party have not always been as transparent they need to be. To many assumptions on either side about who has/is responsible. Therefore in PCI DSS V3.0: Evolving Requirement: Maintain information about which PCI DSS requirements are managed by service providers and which are managed by the entity Evolving Requirement: Service providers to acknowledge responsibility for maintaining applicable PCI DSS requirements. Effective 1 July 2015 Page 12

13 Contracts A few considerations about contracts, I m not a lawyer but : Ensure your contracts specify PCI DSS responsibilities, not just at a high level but by actual requirement and sub clause. These might be in an accompanying schedule but they should form part the contract. Be specific about what happens in the event of a data security breach, who has responsibility and who pays the bills! (e.g. forensics, stop loss, remediation)! Include the requirement for an Incident response plan. Include a right of audit/inspection. Include requirement for a RoC or QSA attested SAQ for your scope of work. Include requirement to be complaint with Scheme security bulletins. Make the contract future proof for example do not get trapped to any one version of the PCI DSS or associated standards and pronouncements issued by the PCI SSC or other industry bodies. Page 13

14 Time to breath time to plan Page 14

15 Account Data Compromise responsibilities When things go wrong its always the Merchant who foots the bill! ADC costs include: Forensic Investigation/s Initial remediation to stop the leak Full remediation to become compliant Diversion of operational resources from intended business initiatives to zero income payment card security activities Managing customer expectations Managing the Media Rebuilding confidence in the brand Allocating additional budget to payment card security on an on-going basis For a copy of our Data Compromise Leaflet, please contact a member of our team at PCI.Taskforce@barclaycard.co.uk or go to Page 15

16 Timescales Well the reality is that you should be using PCI DSS compliant Contact Centres now! But many organisations have existing contracts that needed to be reviewed and possibly re negotiated so how long will this take? It s going to take time and the driver will be PCI DSS V3.0. Therefore: Identify all your existing Service Provider contracts and review for payment security implications. Put written agreements in place where none previously exist Ensure you are using a compliant Service Provider, ask for their RoC and AOC and make the scope covers your business SP s list with Visa Europe as a Merchant Agent SP contact your Bank and obtain sponsorship to list on the MasterCard SP list Use the first half of 2014 to identify and review the services provided by all your providers. Use the second half of 2014 to review and, where necessary, renegotiate 3 rd Party contracts. By June 2015 you must have written agreements that evidence the third party responsibilities.. Page 16

17 Conclusions and Impact on existing compliance programmes First make sure you are ready for PCI DSS V3.0 and in particular: Review your cardholder data flows to ensure they accurately include third parties and/or companies that can potential impact payment card security. Review your list of third parties and ensure contracts are appropriate for the services they provide, provide security to cardholder data and assist the merchant in the event of a security breach. If you are currently assessing with PCI DSS V2.0 then take the opportunity to run a gap analysis against v3.0 Include Scheme listing as part of your compliance programme e.g. ensuring your third party is listed on the Visa Europe Merchant Agent List and the MasterCard Service Provider list. Life is not a perfect world if there are problems that we can help with then do speak to us, here at Barclaycard Payment Security Team, we can and want to help: PCI.Taskforce@Barlycard.co.uk Page 17

18 Further information Safe and Sound Processing Telephone Payments Securely A white paper from Barclaycard and Visa Europe leading the way in secure payments May 2014 Barclaycard PCI DSS on the web: -payments/payment-security/pci-dss Page 18

19 Any Questions? Find us on Barclaycard Business Solutions Payment Security Page 19

20 Awards and credentials Elected Board member of the Payment Card Industry Security Standards Council (PCI SSC) Winner of FSTech Awards Compliance Project of the Year 2013 Winner of FSTech Awards Anti-Fraud/Security Strategy of the Year 2013 Winner of Data Security Award, MPE Awards 2012 Winner of Merchant Award, MPE Awards 2012 Winner of Information Security Team of the Year, SC Magazine Europe Awards 2012 Winner of Information Security Team of the Year, SC Magazine Europe Awards 2011 Winner of the Data Security Award, European Card Acquiring Forum (ECAF) Awards 2010 Page 20