The Payment Card Industry Security Standards Council has recently announced the newest version of the industry standard for payment data protection. But what do contact centres needs to know about version 3.2 of the PCI Data Security Standard (PCI DSS)?
At the moment, all the new requirements of PCI DSS 3.2 are considered best practice and are not standards that need to be met until February 2018. This will give organisations a chance to prepare to implement these changes. However, companies are being urged to adopt the standard as soon as possible to help prevent, detect and respond to the cyber attacks that can lead to payment data breaches.
What Changes Have Been Made Since PCI DSS 3.1?
PCI DSS 3.2 has introduced a number of new requirements that will need to be met if best practice is to be achieved. The changes include:
- More regular security checks – A few of the existing PCI DSS requirements have been expanded to include Designated Entities Supplemental Validation (DESV) controls for service providers specifically. To meet these requirements, organisations will have to put processes in place to ensure PCI DSS security controls are continuously enforced.
- Change management – Organisations will need to have a process in place to analyse how changes may impact their environment and the security controls they have in place to protect cardholder data.
- Detect and report on failures – The new requirements also outline that service providers need to detect and report failures on critical security systems. This is necessary to reduce the opportunities attackers have to compromise payment systems.
- Penetration testing – Service providers must perform penetration testing on segmentation controls every six months. This is one of the most important changes and will help to ensure the proper focus of PCI DSS controls.
- Establish responsibilities – Overall responsibility for PCI DSS may be assigned to individual roles, but executive visibility of the PCI DSS compliance programme is critical for service providers where protecting cardholder data is central to their business.
More General PCI Best Practice Guidelines
As well as adhering to the new PCI DSS requirements, organisations should be aware of the more general best practice guidelines that already exist. This includes:
- SSL – Hosting any web pages that receive payment card information on Secure Sockets Layer (SSL), which is the standard security technology for establishing an encrypted link between a web server and a browser. Sensitive data should never be sent without SSL.
- Logging data – Never log any payment card data, such as full credit card numbers or CVV/CVC. Most web apps expose credit card data via their log files and not the database.
- Storing data – Sensitive credit card data should never be stored. You can only store the first six and last four digits of a credit card number. Any card details you do not need, such as expiry date, billing address etc. should not be held.
- Cross-site scripting attacks – Protect customers by keeping your site safe from cross-site scripting attacks.
Remove Your PCI Compliance Concerns
With a hosted solution like Agent Assist you do not have to worry about PCI DSS best practice as no sensitive card payments ever enter your contact centre. To discuss your specific compliance requirements and to find out more about our secure payment solutions, please give us a call or email [email protected] today.