Over the course of 2019 the PCI Pal Team has attended many industry and partner events, similar questions arise so to round off 2019 we decided to share the questions, and answers, that we hear the most.
- How do I know if my organisation is PCI Compliant?
One of the most frequent questions we receive is, “Does my organisation need to be PCI Compliant, and how do I know if we are?” Begin by asking yourself this question: do I store or receive cardholder data as a business? If yes, a compliance strategy is key. We often see businesses overlook PCI Compliance because they think they aren’t a target for hackers as they aren’t a Fortune 500 company, or because they fall into a specific vertical, or they implemented a solution 5 years ago, or one of their technology providers are PCI Compliant. In these cases, despite your vertical or size of your organisation, if you’re receiving sensitive cardholder data, you are responsible for complying with the PCI Security Standard Council Data Security Standards (PCI DSS) as both threats and the regulations evolve. Your annual compliance audit is a great place to start. Within an audit, vulnerabilities are highlighted throughout your environment, and suggestions are made for meeting and maintaining the 12 requirements that make up the PCI DSS. When it comes to compliance within the contact centre, trusted sources such as Verizon Security are pushing for a descoped solution, such as PCI Pal’s Agent Assist.
- I pause and resume my recordings, is that compliant with the newest set of standards?
Pause and resuming of call and screen recordings is a procedure classified as a Compensating Control. The PCI Security Standards Council’s most recent regulations highlight that compensating controls such as ‘Pause and Resume’ are becoming an antiquated fix that doesn’t provide complete compliance for the contact centre, as it only makes your call and screen recordings compliant, not your infrastructure. The greatest vulnerability found in Pause and Resume is that the agent is still processing the credit card data. As they hear, see, type (or in some cases even write) it down, you’re entrusting that agent doesn’t mismanage that data, making the agent a vulnerability. You’re also entrusting the agent to manually pause and resume the recording. This is pushing organisations to fully descope the contact centre to remove these varied vulnerabilities which are being targeted by those searching for sensitive information such as cardholder data.
- What does a descoping solution replace in my contact centre?
PCI Pal’s Agent Assist is a light touch solution that enhances the payment experience while descoping your contact centre from the requirements of PCI DSS. The sensitive cardholder data is never received by or visible within your environment. Agent Assist is designed to replace onerous compensating controls such as clean room environments, pause and resume, and payment outsourcing. It is a solution that allows other technologies to work as they should. Call and screen recording solutions are now free to capture the customer interaction in its entirety. Contact centre managers are not having to patrol agents for a clean room environment.
- What about my relationships/contracts with my payment processor, tokeniser, telephony carrier?
The power of a solution with such a high number of established integrations is that it fits into your existing environment without displacing the payment processor or carrier that you have in place. The metrics or token that you’re receiving today, would be the same metrics and token you’d receive with the proper descoped implemented.
- Why cloud, what cloud?
An important question to ask when descoping your customer’s card data is where my data is being processed, and its scalability. PCI Pal utilises Amazon Web Services (AWS) with active instances across the globe. By utilising AWS, large organizations don’t have to worry about data sovereignty concerns.
PCI Pal’s Agent Assist Solution is architected in the cloud therefore issues such as DTMF Bleed are not a concern. Some other DTMF masking solution providers rely on masking the tone only after the DTMF detection algorithm has signalled a tone is present. PCI Pal uses a “step-back” solution which detects the tone and winds back the stream of audio several milliseconds before masking the audio stream to ensure that the tone is completely masked.
When it comes to future-proofing, cloud-based solutions are not easily beaten. On-premises solutions are costly and time-consuming to update, whereas updating cloud-based solutions is as easy as downloading new software or updating your contract to offer new services with the click of a button. This same mindset applies to scalability with growth. You can start where you’re at today, and a cloud-based solution will grow with you and your business. As locations are added and services are re-routed between locations, cloud solutions provide the scalability and agility needed to keep up with your organisation’s growth and expansion.
Have your own questions that we can help answer as you head into the new year? Let us know at [email protected]. We would love to help guide you on your PCI compliance journey.