Your Compliance Strategy Questions Answered

A new year and fresh focus. Many organisations have their attention set on prioritising a clear PCI compliance strategy in 2022. With workforces now looking to operate in a hybrid workspace model, there are more questions than ever around ensuring consumer data protection. The PCI Pal team sat down with Sujith Parambath, Head of PCI and Cloud Consulting Services at IT Governance, and PCI Pal CISO, Geoff Forsyth, to chat through the path to compliance success:

PCI Pal: To begin, could you share what struggles you have seen when businesses went partially or completely remote?

Sujith:   A lot of commentary suggests difficulties in setting up secure access for staff, such as provisioning laptops, remote access and restricted access for sensitive data. Ensuring a good level of management and staff support alongside effective communication during remote working appeared a challenge for some.

Geoff:   When the pandemic first hit, we had the opportunity to work with a lot of organizations that were trying to make the move to a remote workforce while maintaining compliance. The greatest shift we saw was organisations recognising that they couldn’t use the compensating controls that they had in place in the contact centre in a remote setting.

PCI Pal: Now that organisations are adopting a hybrid working model – what challenges are you seeing when it comes to compliance and security?

Sujith:   If many staff opt for a hybrid working model as a permanent way forward, as seems likely, there will be a need to ensure that many temporary measures, that provided less controlled ways of working, do not become permanent. Organisations will need to ensure that staff have acceptable home working environments and implement long term solutions.

Geoff:   Those temporary measures that Sujith is referring to can be anything from clean room environments to pause and resume solutions. Some organisations have had to reduce or stop taking payments over the phone altogether while they figure out the path forward.

PCI Pal: Many organisations are still viewing pause and resume and other compensating controls as adequate when it comes to achieving PCI Compliance – what are your thoughts on this approach and is there any advice you can give?

Sujith:   ‘Pause and resume’ is a way to keep card data out of call recordings. However, manual pause and resume may not be reliable and could lead to non-compliance. Even when well implemented, it only addresses the issues of data stored in call recordings; it does not descope the contact centre.  Far better to keep card data right out of the contact centre.

Geoff:   Descoping through a cloud-based DTMF suppression solution can provide a compliant and seamless experience for both the agent and the customer, whether the agent physically sits within the contact centre or remote. To Sujith’s point, ensuring the data never enters the environment is the way to truly ensure compliance and minimise risk.

PCI Pal: What can businesses do today in preparation for PCI DSS 4.0?

Sujith: (1) PCI DSS 4.0 makes it even clearer that the business is responsible to define the scope of the CDE (card data environment), including preparing network and data flow diagrams. Omnichannel contact centres in particular will need to invest time in doing this.  (2) If a company is planning to rely on the new concept of the customised/self-designed controls in v4.0 they will need to ensure that they have fully defined and carried out testing of the control and documented this. I would advise businesses to steer clear of self-designed controls – I foresee this becoming a contentious, time-consuming, and expensive area.

Geoff:   This new concept of self-designed customized validation means companies can comply by showing that the intent of a PCI DSS requirement is met without needing to provide an operational or technical justification.  The customized approach provides a framework to allow the design of controls that address evolving threats, update technology and allow for flexibility and support to meet the PCI DSS objectives. If this all sounds complex and difficult, then that’s because it is. The process documentation, justification, implementation and ongoing review of such customized validation processes is going to be a massive resource drain. In my opinion, descoping the contact centre environment continues to be the simplest and most cost-effective option for businesses.

PCI Pal: What is a universal piece of advice that you find yourself giving to companies when it comes to achieving PCI Compliance?

Sujith:   If it is the first time going through compliance, then set up a compliance project. Document everything – configurations, policies, procedures. The Payment Card Industry’s view is that if it isn’t documented then it isn’t happening. The more that you can rely on established PCI compliant industry experts, the better. My advice would always be to keep card data out of the contact centre and off the phone system by using third parties such as PCIPal, to capture payments in the cloud and send them to remote payment gateways.

Geoff:   As PCI DSS regulations evolve, keep in mind that there are companies and tools with the sole focus of unpacking those new standards, creating compliant solutions, and deploying them in efficient ways. Using these resources frees your team up to focus on the customer and the agents.

As compliance regulations advance, descoping continues to be the most robust solution for contact centres around the globe. For more thought leadership from Sujith Parambath, you can listen to his podcast with PCI Pal’s CISO, Geoff Forsyth.