Data Security & PCI Compliance Securing Your Contact Center Session Name : Title
Introducing Trevor Horwitz Pi Principal, i TrustNet t trevor.horwitz@trustnetinc.com John Simpson CIO, Noble Systems Corporation Carolynn Horrell-Chamoun CIO, Penncro
Objectives Learn about PCI Discuss Emerging Security Threats Specific Issues for Contact Centers Your PCI Project Plan Q&A
Payment Card Industry Compliance Payment Card Industry (DSS and PA-DSS) DSS: Data Security Standard PA-DSS: Payment Application DSS PED: PIN Entry Device Created by PCI Security Standards Council Security standard designed to protect payment account data Applies to any business that accepts, stores, manages, processes or transmits payment card information. There are no exceptions.
PCI Requirements 1. Install firewalls to protect CHD 2. Do not use default passwords and parameters 3. Protect stored cardholder data 4. Encrypt data transmission across public networks 5. Use up-to-date anti-virus software 6. Develop secure systems and applications 7. Restrict access to CHD 8. Assign unique ID s 9. Restrict physical access to CHD 10. Track and monitor access to network and CHD 11. Regularly l test t security systems and processes 12. Maintain information security policy
PCI Requirements - Examples 3.2 Encryption of sensitive cardholder data 11.2 Quarterly vulnerability scans 11.3 Annual penetration test 12.6 Security awareness training (all employees) 12.1 Establish, publish, maintain and disseminate an information security policy
Why Should We comply? Non compliance may result in: Loss of ability to accept payment cards, card brand and processor fines and fees, cost of reissuing new payment cards, liability for fraudulent charges, legal settlements or judgments, loss of customers and customer confidence Its the LAW Minnesota - Plastic Card Security Act - 2009 Nevada SB 227 Effective 1/1/2010 Washington - HB 1149 Passed 3/22/10, effective 7/1/10 Massachusetts MA 201 CMR 17 Data Privacy Act
PCI Resources PCI Security Standards Council - https://www.pcisecuritystandards.org/ pcisecuritystandards PCI Solution Vendors www.pcitoolbox.com PCI Blog http://www.pcianswers.com/
Emerging Security Threats Windows 7 Large scale worm attacks Malware - polymorphic threats Mac attack Phishing, Spear Phishing, & Social Engineering Social Networking third-party apps Rogue security software Botnets Mobile Malware Attacks leverage the cloud
Contact Center PCI Trends Voice recordings Storage of sensitive authentication data is prohibited subsequent to authorization Contact Centers Guidance from the PCI Council to QSA s Clearly in scope for PCI VoIP VoIP infrastructure connected to the CDE must be PCI compliant
Contact Center IT Security Trends Virtualization Cloud Computing Breach Notification 45 US States State and Federal Data Privacy Laws MAS 201 CMR 17 HIPAA and HITECH Act Other states to follow
PCI Compliance Project Plan Project Scope Assessment and Planning Determine validation level Merchant or Service Provider What level? Determine the in-scope business operations, IT infrastructure, applications, information, and people Gap Analysis Risk assessment Assess documentation and identify control gaps and deficiencies
PCI Compliance Project Plan PCI DSS Compliance Assessment Assess compliance as defined by the PCI DSS v1.2. Review applications for PA-DSS compliance Remediate Deficiencies Evaluate deficiencies Identify and assess any compensating controls Reporting Debrief management and other stakeholders as required Complete the relevant Self Assessment Questionnaire and Attestation of Compliance
Q & A