Cybernews Payments Interview with PCI Pal’s CISO
Geoff Forsyth, PCI Pal: “the most important thing customers should pay attention to is how their payments are being taken”
The growing number of digital transactions creates a progressively rising number of new opportunities for cybercriminals.
Merchants must employ the highest levels of payment security, but at the same time still deliver a great customer checkout experience. Naturally, this case requires complete encryption and prevention tools. However, managing security measures can often become more than you can chew. For this reason, we highly recommend choosing a dependable payment platform.
Cybernews sat down with Geoff Forsyth, CISO of PCI Pal – a leading cloud-based payment solutions provider – to find out what security measures can protect you while making payments and what should we be most vigilant about when spending our money.
Let’s go back to the very beginning of PCI Pal. What has your journey been like throughout the years?
I’ve been around for a long time! Back in the 80s & 90s, I worked on compliance and reactor systems in the Nuclear Power Industry before helping found an internet business directory that floated on the London stock market in 2000. The company subsequently changed direction after the dotcom crash of the early noughties, morphing into a call centre and software business. We started specializing in credit card payment compliance systems and made the strategic move in 2016 to become PCI Pal.
Operating across America, Canada, Europe, and Australia, PCI Pal has become a truly global player in the market. We’re strategically scaling operations to provide customers with the best cloud-based secure payments solutions available through partnerships with companies such as Genesys, 8×8, Worldpay, Five9, and Amazon Connect.
After eighteen years as the company’s CTO, I moved into my current position as CISO in 2018. I’m dedicated to maintaining the group’s existing information security strategy and standards to protect our customers’ and resellers’ data as the organization expands its operations globally.
Can you tell us a little bit about your cloud solutions? What are the main issues they help solve?
Our mission at PCI Pal is to safeguard reputation and trust by providing our customers with secure payment solutions for any business communications environment. That includes voice, chat, social, email, and contact centre. Our solutions not only keep consumer data safe and secure, but they also protect the merchant by descoping their environments from the requirements of the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS is a set of 12 binding requirements, produced by the credit card industry, designed to ensure complete data protection for any company or contact centre that takes card payments. Our solutions help merchants achieve and remain PCI DSS compliant while also providing contact centres with customizable, scalable, and reliable solutions.
The solutions below each solve unique problems faced by contact centres:
- PCI Pal Agent Assist: PCI Pal’s core solution, Agent Assist, utilizes DTMF (Dual Tone Multi Frequency) masking technology and Speech Recognition, to provide companies with a secure way of handling payments by phone without bringing their environments into the scope of PCI DSS. We integrate with the call flow and at the point of payment, intercept credit card details sent as keypad tones or speech from the customer. This way the contact centre agent isn’t exposed to the card data, all they see are asterisks on the screen and hear comfort tones. The customer and the agent can still converse throughout the process but the sensitive card data, the 16-digit card number (PAN), and the 3-digit security code (CSV) are prevented from reaching the agent or the merchant’s environment, drastically reducing the scope of PCI. This solution is available globally from within the PCI Pal platform that provides our IVR and Digital secure payment products, so agents can have access to take payments from customers through multiple channels.
- PCI Pal Digital: Responding to the ever-growing demand for omnichannel payments, PCI Pal Digital allows contact centres to provide a true omnichannel payment experience to consumers. PCI Pal Digital functionality is available from within the PCI Pal platform that provides PCI Pal Agent Assist and IVR secure payment products, so agents have access to take payments from customers through any channel. PCI Pal’s technology ensures these channels are descoped from the requirements of PCI DSS whilst retaining operational flexibility to engage in conversations with your customer in whatever way suits your business.
What technology do you use to ensure secure payments?
PCI Pal is a ‘Software-as-a-Service’ (SaaS) company, offering cloud-based secure payments solutions hosted globally within Amazon Web Services (AWS). This allows us to regionalize data globally, making our solutions widely available to organizations around the world.
PCI Pal’s patented technology for telephone-based payments uses DTMF masking technology to suppress the telephone keypad tones entered by a customer during a transaction to ensure customer data is safe. For reference, Dual Tone Multi-Frequency (DTMF) is the discordant two-tone signal or sound that is generated when you press a button on a telephone’s keypad. Our solution avoids traditional legacy issues such as DTMF bleed found in other products available in the market today.
PCI Pal also uses speech recognition technology in our Agent Assist and IVR Payments solutions to allow customers to speak their details in a secure way as an alternative to using their telephone keypad. Additionally, we also offer secure payments via digital engagement channels such as Webchat, Whatsapp, SMS, Social Media, and Email.
Did you notice threat actors using any new techniques as a result of the recent global events?
The pandemic has been a complete boon to hackers and spammers. I haven’t necessarily seen any new techniques, but the sheer amount of Phishing scams have been enormous. The world event in Ukraine has also seen cyber-attacks ramping up, again with criminals using the opportunity to launch phishing attacks.
Over 90% of cybercrime begins with a phishing email, and this type of attack has increased significantly with more people working from home and the dramatic shift to an increasingly virtual world, threat actors have ramped up their efforts for sure.
Many companies have recently chosen cloud solutions as a way to enhance security. Are there any details that might be overlooked when making the switch?
Security in the cloud is always a shared process between the cloud provider and the company using the service. In general, the cloud provider is responsible for the “Security OF the Cloud,” and the company is responsible for the “Security IN the Cloud.”
It is important to fully understand where these responsibilities meet and overlap and to ensure there are no obvious gaps. Therefore, all companies should have a Responsibility Matrix document that clearly defines and describes which party is responsible for what.
Something commonly overlooked by companies is not knowing where their data is physically stored. Many regions of the world have legal requirements that data identifying individuals, data such as names & addresses, credit card information, social security numbers, and bank details, must be stored locally and not shipped around the globe. An example that springs to mind are file storage systems (such as Microsoft OneDrive, Dropbox, Google Drive, and Apple iCloud).
When companies sign up for these services, they usually have no idea exactly where their files are being stored. For example, a company based in the UK, might not want their UK-based customers’ data stored in the US for fear of there being a problem with the data transfer between the US and the UK. You have a lot less control over your data if it is in another country. It is a strategic rule of thumb to know where your information is being stored.
What cybersecurity aspects do you think new business owners often fail to take into account?
There are two things that come to mind that often go overlooked and are oftentimes the easiest to prevent. First, unsecured networks can leave you open to cybercrime. Most people know not to use open Wi-Fi connections in coffee shops, for example, as connections can so easily be monitored. The same applies to your business, making sure you have secured networks and channels of communication can help prevent major issues.
Second, most data breaches do not start with hackers attacking your network directly. Instead, they use social engineering attacks on your staff in an attempt to trick them into giving your secure information such as login details and passwords. So, training your employees to recognize scams and safely avoid them is critical.
What are some of the worst habits that can put a company’s data at risk?
Lack of employee education about the risks is one of the worst habits, in my opinion. Employees need to be educated and alert. Phishing emails continue to be the biggest threat.
It’s easy to misread something or answer something blindly, but that’s how they get you. To alleviate the risks, the most important step an individual can do to protect the organization is to be considerate and take your time before responding.
Share with us, what details should customers be vigilant about when making payments online?
While there are plenty of things customers can do on their end to make sure they protect their money, the most important thing customers should pay attention to when making a payment is how their payments are being taken – does the process seem secure?
Phishing is the single biggest threat – scammers encouraging people to click links in emails where they are redirected to dodgy websites that mimic popular brands. So, importantly, when you are sent that “special offer,” be suspicious. Don’t click the link, and instead, go to the online website independently. Once at the payment page, look for a secure padlock symbol in your browser URL to show the site is using HTTPS.
Across Europe, it is now mandatory for companies to use Strong Customer Authentication when taking online payments, this means using a system called 3Dsecure offered by all the credit card brands. 3Dsecure is a global standard and we are now starting to see its use becoming far more popular across the US and Canada, too.
And finally, what’s next for PCI Pal?
As consumer behaviour evolves and contact centres attempt to keep pace, PCI Pal will continue to keep a finger on the pulse of the industry to deliver the solutions our customers need at the moment. We have a detailed product roadmap and our development teams are working hard to create and launch exciting and innovative new features over the coming months.
Additionally, PCI Pal has recently opened additional offices in Toronto and Sydney – further strengthening our global footprint. We continue to strengthen our product portfolio by providing payment innovations to merchants and our global partner network both within Canada and beyond.