PCI Security Compliance in KANA Solutions How KANA Applications Helps Companies Comply with PCI Security Standards

Transcription

1 PCI Security Compliance in KANA Solutions How KANA Applications Helps Companies Comply with PCI Security Standards

2 Table of Contents PCI Security Compliance in KANA Solutions...1 The Importance of Protecting Customer Data...3 A Summary of the PCI Security Standard...4 Security in KANA Response...5 Point of Entry Behind the Firewall...5 SSL Communication...6 Data Protection...6 Password Protection...7 Security in KANA Secure Messaging...7 Security in KANA Response Live...8 Data Protection...9 Data Encryption...9 Password Protection...9 Conclusion KANA Software, Inc. 840 W California Ave, Ste 100, Sunnyvale CA sales@kana.com PAGE 2

3 The Importance of Protecting Customer Data The news about data security breaches is not good. The fallout and costs from such events as the 2007 TJX Companies i data breach are being assessed in the millions of dollars. However, this most notorious breach is only the tip of the iceberg. The Privacy Rights Clearinghouse counts the approximate number of records that have been compromised due to security breaches at nearly 250,000,000 since Businesses and organizations in every industry from retailers to banks, brokerages, medical groups, pharmaceutical manufacturers, schools, media companies, and government agencies all have been victims of hackers and data thieves. U.S. financial institutions that issue credit cards incurred a record $1.24 billion of losses from fraud in 2006, up 9.3% from In Data Leaks, Culprits are Often Mom and Pop Wall Street Journal, Sept. 22, 2007 As consumers continue to increase their use of the Internet for many types of transactions, the level of compromised customer data and identity theft continues to grow exponentially. The Internet Crime Complaint Center (IC3) received more than 200,000 complaints of crimes perpetrated over the Web during This amounts to almost $240 million in reported losses a $40 million increase from complaints referred to law enforcement in ii According to the Nilson Report, an organization that follows the payment card industry, the cost to card issuers to cover fraud committed by cybercriminals has more than tripled over the past decade to $5.6 billion worldwide in iii To respond to these growing threats, the major credit card companies, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, founded the Payment Card Industry (PCI) Security Council ( One of the major functions of the Council has been to create and manage the PCI Data Security Standard (PCI DSS). The PCI standard is updated every two years by the Council, which maintains PCI and two other security standards. The organization has more than 520 members, including such major multi-channel retailers ranked in the top 500 Internet retailers as Staples, OfficeMax, QVC, Best Buy, Wal-Mart, J.C. Penney, Williams-Sonoma, and Barnes & Noble. iv Complying with the PCI DSS has become essential for many businesses because it provides a strong foundation on which to build data protection measures that help companies proactively protect sensitive customer data. Compliance is mandated by the payment card brands for all entities that transmit, process, or store payment card data. Companies 2011 KANA Software, Inc. 840 W California Ave, Ste 100, Sunnyvale CA sales@kana.com PAGE 3

4 "Being PCI compliant is a smart business decision, as far as securing Web property and Intellectual property With data being stored virtually, in accessible areas, PCI standards are set up to help businesses with better practices." Pcicomplianceguide.org will be penalized if they do not comply with the PCI DSS. For many companies, there is an urgent need to meet the standard as the deadlines for validating compliance with the PCI DSS have already passed. For customer support organizations, security breaches pose a real threat as companies expand the use of lower-cost online channels for customer interactions. Credit card numbers, personal identification numbers, account IDs, Social Security Numbers, and other forms of private data used to complete transactions and purchases are being shared in s, chat sessions, and on the Web. As a result, meeting the PCI standard is important for service organizations in order to protect customer data from malicious attack by outsiders or employees of the company. KANA has helped many businesses meet security requirements for online channels through its solutions for multi-channel customer service. In this paper, we will examine how capabilities built into KANA applications, including KANA Response, KANA Secure Messaging, and KANA Response Live, can help organizations comply with the PCI standards. A Summary of the PCI Security Standard The PCI DSS is a multi-faceted standard for companies that accept and store personal credit card information. Based on ISO 17799, the internationally recognized standard for information security practices, the PCI DSS includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. To be PCI certified, a business must adhere to the published PCI data security standard specifications as follows: 2011 KANA Software, Inc. 840 W California Ave, Ste 100, Sunnyvale CA sales@kana.com PAGE 4

5 "The rule of thumb is this: If you house credit card information, in whatever form, if you house the information in your server then you are basically responsible for complying with PCI DSS." Kahlid Kark, Forrester Research Security in KANA Response continues to be one of the fastest growing online communication channels given its simplicity and convenience. However, it is also one of the most non-secure communication channels. Despite the fact that companies have encouraged customers not to use for communicating sensitive information, credit card numbers, account IDs, and other private data are still transmitted via . KANA has established a reputation for helping companies efficiently manage high volumes of with KANA Response. To help them protect sensitive data that may be contained in s, KANA has built multiple layers of communication and data security capabilities into KANA Response, all of which meet or exceed portions of the PCI DSS standard. Point of Entry Behind the Firewall The point of entry is via the company s POP3 or IMap server, which resides behind a firewall KANA Software, Inc. 840 W California Ave, Ste 100, Sunnyvale CA sales@kana.com PAGE 5

6 SSL Communication Secure Socket Layer (SSL) communication is supported between all nodes in the KANA Response network v including: Application server and client Application server and database server Application server and SMTP server Application server and KANA Classify server Application server and reports server From the forms handler to SMTP server Adapter framework KANA uses SSL communication between KANA Response and clients, the SMTP server, and the database. Data Protection KANA Response helps to protect customer data in several ways: All data within the KANA Response database can be encrypted using the KANA Response license key, including attachments. vi The administrator can choose to encrypt all KANA Response data in the database, or select specific fields, such as encrypting only account numbers, but not a customer s name and address. vii KANA Response uses the AES-128 encryption standard. Rather than choosing an algorithm from a particular vendor, each of which varies, KANA has chosen to use the AES-128 standard. The U.S. National Security Administration has announced that AES is secure enough to protect classified information up to the Top Secret level, which is the highest security level. Pattern matching and number stripping can be executed against the content. For example, 16-digit credit card numbers can be recognized and masked before they are stored in the KANA Response database. This ensures the credit card information is not stored and is not available to any KANA Response user, helping to prevent malicious use KANA Software, Inc. 840 W California Ave, Ste 100, Sunnyvale CA sales@kana.com PAGE 6

7 KANA Response supports secure protocols between the application server and any external Web services. Password Protection KANA Response also protects passwords used by agents, supervisors, and application administrators. User and database passwords are encrypted to help prevent unauthorized access. Role-based logins, such as agent, supervisor, and administrator, manage access to data appropriately. In addition, custom role definition is available to fine-tune the level of data access for each user. Password security features include setting expiration dates and password length, requiring user names and passwords to be different, enforcing alphanumeric restrictions, prohibiting use of old passwords, retry lockout and invalid logon lockout. Passwords maintained in configuration files are encrypted with a mechanism for changing them. Password encryption algorithms use the JAVA cryptography standard and comply to the AES-128 encryption standard. Security in KANA Secure Messaging For companies that need to further safeguard communications between customers and service representatives, KANA Secure Messaging offers a solution that combines KANA Response functionality with secure Web portals. KANA Secure Messaging does not include any sensitive data in messages sent to non-secure mailboxes like Microsoft Outlook, which eliminates the need for cumbersome schemes to encrypt and decrypt content. Instead, an message includes a hyperlink to a secure portal where the recipient must authenticate before accessing the protected information. As a result, there is no exposure of sensitive data while it is in transit, helping companies maintain information privacy while reaping the benefits of lower-cost . KANA Secure Messaging provides the following security measures: A Secure Online Access Protocol (SOAP) is used between KANA Response and the secure Web portal in order to exchange data. Any s sent in over the SOAP channel are automatically flagged as secure, and replies will be sent out over the secure channel. For s coming in over a non-secure SMTP/POP channel, rules can scan message content to determine the need for confidentiality. Once an is classified as confidential, Secure Messaging can route it via the SOAP channel instead of over nonsecure SMTP/POP. Rules can be established for a wide range of criteria, such as a particular message title, text word, or alphanumeric pattern. In summary, KANA Response and KANA Secure Messaging help to comply with specific PCI DSS specifications as follows: 2011 KANA Software, Inc. 840 W California Ave, Ste 100, Sunnyvale CA sales@kana.com PAGE 7

8 Security in KANA Response Live As live chat becomes increasingly popular, many companies want to leverage this channel to increase sales, forestall shopping cart abandonment, and offer an immediate-response channel for service. KANA Response Live offers a rich set of capabilities for conducting interactive online conversations. To help ensure that these live interactions remain private, KANA Response Live includes the following security measures KANA Software, Inc. 840 W California Ave, Ste 100, Sunnyvale CA sales@kana.com PAGE 8

9 Data Protection Using rules, sensitive data in text message can be masked so that it is invisible to the agent. Restrictions can be added to prevent agents from viewing information that the customer is entering during co-browsing sessions. KANA Response Live can be configured to prevent agents from entering certain form information (such as an account ID number) or submitting customer forms. While all of these restricted fields and any data in them are visible to the customer, it is masked from agents. Data Encryption KANA Response Live transcripts are encrypted during transmission and in storage: Chat transcripts are encrypted in the database in the same way s are managed by KANA Response. Chat transcripts for authenticated customers, which become part of the universal customer history, are encrypted in the KANA Response Live database. During transmission, communication between the chat agent and a customer outside the firewall is secured using SSL with 128-bit encryption and externally validated certificates from a recognized certificate authority. For session security, KANA Response Live assigns a unique session management key to each text chat session. This session token is comprised of 50 random alphanumeric characters, providing approximately 170-bit encryption. Each time a text chat message is sent or co-browse event occurs the users in the session are compared to the management key. If a mismatch occurs, then the associated user is ejected from the system. This helps to eliminate an entry point into the corporate network for hackers. Password Protection KANA Response Live includes the same password protection and role functions as KANA Response. (Please see page 7) In summary, KANA Response Live helps companies comply with specific PCI DSS specifications as follows: 2011 KANA Software, Inc. 840 W California Ave, Ste 100, Sunnyvale CA sales@kana.com PAGE 9

10 Conclusion The PCI DSS standard offers companies an effective path to securely process, store, and transmit sensitive data. With the security capabilities built into KANA solutions, companies can materially improve their PCI DSS compliance during customer service communications. KANA Response, KANA Secure Messaging, and KANA Response Live all incorporate measures that meet many PCI DSS requirements, helping companies effectively protect their customers information during transmission and in storage KANA Software, Inc. 840 W California Ave, Ste 100, Sunnyvale CA sales@kana.com PAGE 10

11 Disclaimer Ultimately, responsibility for PCI compliance remains with the Customer. Complete PCI DSS compliance can only be certified by Customer s PCI DSS Qualified Security Auditor. KANA does not claim, represent or otherwise imply that its products are PCI DSS certified. While all information contained in this paper is believed to be correct at the time of publication, no warranty is made regarding compliance and all information is provided as a convenience to Customer. To learn more about how the KANA suite of multi-channel solutions can help you create customers for life, call Copyright 2011 KANA Software, Inc. KANA and the KANA logo are registered trademarks of KANA. Other company, product and service names may be service marks of their respective owners. 840 W California Avenue, Suite 100 Sunnyvale, CA T F Contact us at Linkedin: Facebook: All Rights Reserved i The TJX Companies, Inc. parent of Marshalls, T.J. Maxx and other retail chains, admitted that hackers compromised some 46 million customer credit card numbers. The incident set off a flurry of lawsuits by customers and banks who contend TJX should be responsible for its shoddy security, as well as a separate investigations by the FTC and 37 state attorneys general. MasterCard has stated that TJX was not compliant when its database was breached, and Eduardo Perez, vice president of payment system risk at Visa USA, says he has "never seen an entity compromised that is PCI compliant." TJX has admitted in FTC filings that it has spent some $20 million already to address costs related to the breach. ii 2007 Internet Crime Report iii As reported in the Wall Street Journal, September 16, 2008 iv The Internet Retailer Top 500 Guide, Internet Retailer, October 7, 2008 v Within the KANA Response interface, SSL communication is on by default, but can be turned off by a system administrator. As SSL may incur some performance impact, the choice to turn SSL on or off will depend on the type of data contained within s. If s do not contain sensitive data, it may be preferable not to use SSL vi Existing KANA Response customers will need to upgrade to KANA Response 10.4 and obtain a new license key. An encryption utility is available to encrypt all data in an existing KANA Response database. vii Once encryption is turned on, administrators cannot selectively choose to encrypt one type of or turn encryption on and off at will. All s will be encrypted according to the chosen options. Choosing to encrypt s should be considered carefully. While encryption can be turned off, it will require considerable effort to return to an unencrypted state KANA Software, Inc. 840 W California Ave, Ste 100, Sunnyvale CA sales@kana.com PAGE 11