Protect Customers with PCI Compliance Lowering Data Breach Risks for Customer Contact Centers

Transcription

1 50 Years of Growth, Innovation and Leadership Protect Customers with PCI Compliance Lowering Data Breach Risks for Customer Contact Centers A Frost & Sullivan White Paper

2 Frost & Sullivan Customer Contact Vulnerabilities... 3 PCI Standards... 4 Applicability... 5 PCI DSS Compliance... 5 Enforcement... 7 Supporting Strategies and Solutions... 7 Conclusion... 8 CONTENTS

3 Protect Customers with PCI Compliance Lowering Data Breach Risks for Customer Contact Centers Customer contact organizations that handle payment card data are increasingly at risk for data breaches and data theft. According to the 2012 Verizon Data Breach Investigations Report (DBIR): Payment card information is the subject of more breaches (48 percent) than any other data type. 94 percent of all data compromised involved servers. Individuals outside of organizations account for nearly all data breaches. Smaller firms are more prone to breaches than larger ones because their defenses may not be as strong. Criminals seek targets of opportunity. Customer-facing organizations must also inform and help customers when their payment card accounts have been compromised. Laws in 46 U.S. states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands require customers to be notified when there are breaches involving their personal information. CUSTOMER CONTACT VULNERABILITIES There are several potential entry points for criminal activity via contact center interactions: Customer records located on premises, outsourced, hosted, and/or in-sourced servers Call recordings and text-based communications transcripts (e.g., for chat, , social media, SMS/text, and video) PCs and laptops Agents committing malicious acts, such as installing key-logging spyware Agent pretexting, where criminals lie to others, such as contact center agents, to obtain privileged data Customer contact organizations appear to be in the lower-middle range for threats when compared with other functions and staff. The Verizon DBIR reported: Contact center personnel accounted for one percent of compromised assets by percent of breaches, but this figure rises to seven percent for larger organizations, which is defined by the DBIR as having at least 1,000 employees. Database and Web application servers each accounted for 33 percent. Agents accounted for eight percent of pretexted breaches. Regular employees and end users comprise 43 percent. Cashiers, tellers, and wait staff make up 33 percent. Frost.com 3

4 Frost & Sullivan There are several specific practices and issues that may merit examination for data breach risks: Growing popularity of hosting. Frost & Sullivan forecasts that annual hosted revenues will exceed those of premise-based solutions by Hosting shifts the data, trust, risk, and security focus to providers that are serving multiple clients. Increased contact handling to near-shore and offshore locations. Contact centers and data centers are subject to host nations laws and enforcement practices, which may be different than those in the U.S. and Canada. There are also differences in data privacy regulation between the U.S. and Canada. Work-at-home growth. Home agents physical environments are not under the direct line-of-sight view and control of management. The nature of customer contact work. It is often a stressful, minimum-wage job. Staff turnover is high. Supervision is sometimes poor, and even managers may not be well-trained. Morale under these conditions is low. Complacency. If there is a low level of incidents and losses, organizations and staff may become less vigilant. Customers communicating with contact centers can also leave themselves vulnerable: Putting payment card information in social media posts and tweets Sharing confidential information via cell phone in public places Not properly disposing unwanted computers and wireless devices PCI STANDARDS To guard against payment card information loss, organizations must adopt, train staff on, adjust processes to, comply with, and continually adhere to strict standards to achieve that goal. The standards compliance process identifies the security weak links. There are often recommendations from these reports to correct them. The Payment Card Industry Data Security Standard (PCI DSS) is aimed at protecting cardholder data. It has been developed and is administered by the PCI Security Standards Council (PCI SCC). The council has more than 600 participants globally, including merchants, banks, processors, and vendors, such as cloud/hosted contact centers. The PCI SSC s founding members, American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, have incorporated the PCI DSS into their data security programs. 4 Frost.com

5 Protect Customers with PCI Compliance Lowering Data Breach Risks for Customer Contact Centers The PCI DSS program is composed of 12 requirements. These are grouped under six goals: Build and maintain a secure network Installing and maintaining firewalls Not using vendor-supplied password and other security feature defaults Protect cardholder data Protecting stored cardholder data Encrypting cardholder data when transmitted across open public networks Maintain a vulnerability management program Utilize and regularly update anti-virus solutions Create and maintain secure systems and applications Implement strong access control measures Restrict access to cardholder data to only those businesses that need it Assign unique IDs to each individual who has computer access Restrict physical access to cardholder data Regularly monitor and test networks Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain an Information Security Policy Maintain a policy that addresses information security for all personnel APPLICABILITY Any organization that handles payment card information should become PCI DSS-compliant: Merchants, including phone/web commerce-only firms Service providers that process, store, or transmit cardholder data on behalf of payment card brand clients, merchants, or other service providers. These include BPOs and cloud/hosting providers. PCI DSS COMPLIANCE Organizations achieve PCI DSS compliance by submitting to and passing periodical comprehensive scoping, assessment, validation, and reporting, and by meeting the standards between assessments. These elements include: Annual security assessment by PCI-certified Qualified Security Assessors (QSAs) Data networks and Web applications automatically scanned quarterly by Approved Scan Vendors (ASVs) Frost.com 5

6 Frost & Sullivan QSAs complete annual Reports of Compliance (ROCs) Self-certification for low-volume organizations. These are known as Self-Assessment Questionnaires (SAQs). Companies should select their QSAs based on their understanding of and suitability for their organizations. They should have experience in assessing similar firms. There are several PCI levels for merchants and service providers. Each payment card brand also has specific compliance validation and reporting requirements, and instructions for when to engage QSAs. Here are Visa s requirements for merchants: Level 1: Merchants processing more than 6 million Visa transactions annually (all channels) or global merchants identified as Level 1 by any Visa region Requirements: Annual ROC by QSA or internal auditor if signed by officer of the company; quarterly network scan by ASV; Attestation of Compliance Form Level 2: Merchants processing one million to six million Visa transactions annually (all channels) Requirements: Annual SAQ; quarterly network scan by ASV; Attestation of Compliance Form Level 3: Merchants processing 20,000 to one million Visa e-commerce transactions annually Requirements: Annual SAQ; quarterly network scan by ASV; Attestation of Compliance Form Level 4: Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to one million Visa transactions annually Requirements: Annual SAQ recommended; quarterly network scan by ASV if applicable; compliance validation requirements set by acquirer Here are MasterCard s requirements for service providers: Level 1: All Third-Party Processors (TPPs) and all Data Storage Entities (DSEs) with more than 300,000 total combined MasterCard and Maestro transactions annually; annual onsite assessment conducted by a QSA; quarterly network scan by an ASV Level 2: All DSEs with 300,000 or less total combined MasterCard and Maestro annual transactions; annual self-assessment; quarterly network scan conducted by an ASV Payment card brands strongly encourage PCI Level 1 compliance for service providers. They typically allow only Level 1-meeting companies on their service provider listings. 6 Frost.com

7 Protect Customers with PCI Compliance Lowering Data Breach Risks for Customer Contact Centers ENFORCEMENT PCI is a voluntary standard. Payment card brands may fine merchants over breaches and may require remediation by brand-accredited professionals, such as those with MasterCard s Qualified Forensics Investigator and VISA s Qualified Incident Response Assessor qualifications. Additionally, some states Minnesota, Nevada, and Washington have adopted PCI compliance into law. Massachusetts also has a stringent data security law, whose key features include a data encryption requirement and its applicability that also extends beyond its boundaries to out-of-state businesses that have in-state customers. The efficacy of PCI has been borne out in the Verizon DBIR. It found that in 96 percent of all payment data breaches, firms were not compliant with PCI DSS or were never assessed or validated. It said that in nearly every instance, the breaches could have been prevented had the companies properly implemented and followed the PCI DSS requirements. SUPPORTING STRATEGIES AND SOLUTIONS PCI assessment, compliance, and enforcement are not enough by themselves to prevent breaches. Customer contact organizations need to consider adopting methods that support the PCI compliance. These include: Remove unneeded and out-of-date data. Perform list and database hygiene. If performing quality or total recording, ensure that credit card data is eliminated from both audio and screen recordings, which are archived. Harden contact centers, such as through desktop virtualization and eliminating all agent-accessible data introduction points and storage means. Perform due diligence on cloud/hosted providers, such as by examining them for PCI compliance. Consider asking whether they are also compliant with SSAE 16 SOC, formerly SAS 70. This standard permits independent auditors to evaluate and issue opinions on service organizations controls. These cover application development and maintenance, data processing, access and security, system maintenance, and business continuity. Examine the option of private dedicated cloud solutions. They permit greater control because the servers are on-premises. Conduct thorough background checks on agents. Frost.com 7

8 Frost & Sullivan Set up a home agent policy that also covers security, and which includes allowing employers to inspect the premises for compliance. Create a constructive contact center culture that encourages trust, values, and rewards for positive action. This culture supports employees to continuously act for the benefit of the customer and reduces risk. Evaluate only those BPOs that are PCI- and SSAE 16-compliant. They often employ rigorous employment background checks. Most near-shore and off-shore programs are also handled by BPOs. These suppliers have taken the proper steps to manage risks. The most important strategy is vigilance. Train personnel to detect data breach attempts and set up a means to have these reported immediately. Coach teams on PCI compliance. Educate customers on when and how to communicate payment card data, and on properly disposing computing and communications devices. CONCLUSION Payment card information theft will remain a significant threat for customer contact organizations. By applying a multilayered approach, including addressing vulnerabilities, becoming and remaining compliant with the PCI DSS, and with applicable laws and regulations, companies can limit customers from becoming victims. 8 Frost.com

9 Silicon Valley 331 E. Evelyn Ave. Suite 100 Mountain View, CA Tel Fax San Antonio 7550 West Interstate 10, Suite 400, San Antonio, Texas Tel Fax London 4, Grosvenor Gardens, London SWIW ODH,UK Tel 44(0) Fax 44(0) GoFrost ABOUT FROST & SULLIVAN Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary innovation that addresses the global challenges and related growth opportunities that will make or break today s market participants. Our Growth Partnership supports clients by addressing these opportunities and incorporating two key elements driving visionary innovation: The Integrated Value Proposition and The Partnership Infrastructure. The Integrated Value Proposition provides support to our clients throughout all phases of their journey to visionary innovation including: research, analysis, strategy, vision, innovation and implementation. The Partnership Infrastructure is entirely unique as it constructs the foundation upon which visionary innovation becomes possible. This includes our 360 degree research, comprehensive industry coverage, career best practices as well as our global footprint of more than 40 offices. For more than 50 years, we have been developing growth strategies for the Global 1000, emerging businesses, the public sector and the investment community. Is your organization prepared for the next profound wave of industry convergence, disruptive technologies, increasing competitive intensity, Mega Trends, breakthrough best practices, changing customer dynamics and emerging economies? Contact us: Start the discussion For information regarding permission, write: Frost & Sullivan 331 E. Evelyn Ave. Suite 100 Mountain View, CA Auckland Bangkok Beijing Bengaluru Bogotá Buenos Aires Cape Town Chennai Colombo Delhi / NCR Dhaka Dubai Frankfurt Hong Kong Istanbul Jakarta Kolkata Kuala Lumpur London Mexico City Milan Moscow Mumbai Manhattan Oxford Paris Rockville Centre San Antonio São Paulo Seoul Shanghai Silicon Valley Singapore Sophia Antipolis Sydney Taipei Tel Aviv Tokyo Toronto Warsaw Washington, DC