How to Protect Cardholder Data
The PCI Standard
Retailers, businesses of all sizes, and call-centers all base the majority of their business transactions through credit cards. Call-centers require that the customer use credit cards to handle their purchase orders. No matter if they are a sole-proprietorship of only one or a large corporation of thousands, businesses also manage credit card data to perform their business transactions. Retailers everywhere, both large and small, handle credit cards as a means of making purchases. What do all of these different size businesses have in common? They must adhere to global PCI standards.
What are the PCI standards? Otherwise known as PCI DSS, or Payment Card Industry Data Security Standards, these are the rules and regulations that merchants must follow to accept major credit cards as a means for transactions. The standards are a requirement from the major credit card brands, but it is administered by an outside counsel, the Payment Card Industry Security Standards Council. The measures were put into place worldwide to protect consumers and reduce credit card fraud.
It is paramount for any business or institution to maintain consumer trust. One way to maintain trust with consumers is to keep their data safe. It is a serious business to preserve payment information, personal transactions, and personally-identifying information safe from fraud, misuse, and data breaches.
Validation of Compliance
One method of assuring that a business is upholding its security levels is through validation of compliance. Compliance is required for business entities that handle major credit cards for business transactions. Depending on the business’s size or the amount of transactions processed, the validation of compliance can be performed annually or quarterly. It is the company’s judgment to manage this based on the volume of business that they handle. Ways that the validation of compliance are conducted are:
• Self-Assessment Questionnaires (SAQ) – for businesses with smaller volumes of transactions.
• An External Qualified Assessor (QSA) – for businesses with moderate volumes of transactions.
• Firm-specific Internal Security Assessor (ISA) – for businesses with large volumes of transactions.
PCI-DSS Security Standards
Businesses of any size that accept major credit cards must follow PCI-DSS security standards. The standards are designed to protect both the consumer and the company from fraud or data breaches. The standards apply to any technical or operational systems that are connected to cardholder data. What are the required PCI-DSS standards?
• Build and maintain a secure network.
1. Companies must build and maintain a firewall to protect cardholder data.
2. Must use customized passwords; businesses are not allowed to use default-supplied passwords with any system.
• Protect Cardholder Data
1. Protect any stored cardholder data.
2. Use encryption when transferring any cardholder data across open, public networks.
• Maintain a Vulnerability Management Program
1. Regularly use and update antivirus software programs.
2. Develop and maintain secure systems and other software applications.
• Implement Strong Access Control Measures
1. Restrict access to cardholder data within the business to only those employees who need to know.
2. Each employee with computer access is required to have a unique sign-on ID.
3. Restrict physical access from employees to cardholder data.
• Regularly Monitor and Test Networks
1. All-access points to system networks should be tracked and monitored, including those with resources and consumer data.
2. Provide regular testing of security systems and data.
• Maintain a Company Information Security Policy
1. Maintain a company-wide policy that addresses security for both employees and contractors.
All businesses that accept major credit cards are subject to PCI DSS standards. To be PCI compliant, these businesses must follow all security standards set forth by the PCI SSC or Payment Card Industry Security Standards Council. There are four levels of PCI Compliance standards based on the amount of financial transactions each business processes per year. This monetary amount is equated to the level of risk assessed by the major credit card companies. Each card issuer maintains its level of compliance, though most follow the standard:
1. Level 1 – Businesses that conduct over $6 million in transactions annually.
2. Level 2 – Businesses that conduct between $1 and $6 million in transactions annually.
3. Level 3 – Businesses that conduct between $20,000 and $1 million in transactions annually.
4. Level 4 – Businesses that have less than $20,000 in credit card transactions annually.
Many businesses contract with call centers for several reasons, including customer relations, sales, or processing. Call centers provide a unique example of how a business should ask questions about privacy details such as PCI compliance prior to starting a contract with them for their services. Companies looking to contract with a call center vendor should look at the following list of privacy requirements and their responses before signing the contract.
• PCI Compliance – Remember that any contractual call center represents your business reputation to the public. It would help if you verified that the call center is PCI compliant. If the contact center representing your business will be handling consumer credit data, a breach will reflect poorly on you. Find out how they manage PCI compliance when handling consumer credit data.
• IVR Security – Call centers use interactive voice systems and other automated means to keep pace with incoming and outgoing calls. This technology helps them keep up with the call volumes and be more efficient. This efficiency also means more data is being stored on automated systems or computers. Before hiring a call center for your business, ask questions about handling and processing data collected and stored on their automated systems.
• Call Recording Storage – Most call centers record calls as part of quality control. This recording process helps with training and resolving any problems between the customer and the operator. These audio files can be filled with sensitive consumer data. Things to ask about are how long the call center keeps these recordings and why, and how they protect the recorded data. Also, ask if they manually or technically redact or scrub sensitive data from the records and when.
• File Encryption – Depending on the type of data required for your business transactions, customer data may need to be transferred outside the call center, for example, to outside vendors of products. Personal data may need to be transferred to your company or even back to the consumer. In your consumer’s eyes, you are responsible for what happens to their data, and it is your reputation on the line. Carefully work through any encryption requirements with your call center before hiring them and keep your expectations high.
• Controlled Access – Any company that handles personal data should control who has access to that information. This security measure holds for call centers, as well. Specific industries, such as finance and healthcare, are incredibly stringent in their regulations regarding data access. Before contracting with a potential call center, it is essential to ask who has access to data, how, and when. Find out about password protection, access ID codes, and other protocols that are in place to protect your consumers and your business reputation.
Cybersecurity is now the number one concern in nearly every business enterprise. A single data breach can be costly to the business with fines and penalties, legal fees, lawsuits, and consumer trust loss. Social media spreads the word of a breach like lightning, and that one breach can cost the loss of a large portion of regular consumers who are wary about any company that has not placed tight security around their data. These penalties can further project into loss of employees, cutbacks, and possible company closures if the profit margins cannot be maintained. No matter if you are using a call center or handling consumer credit data yourself, it is worth its weight in gold to hire privacy and security experts to help guide you through the necessary steps to maintain data security. Work with a quality redaction company, such as CaseGuard, to find ways to remove personally identifying data and protect your company’s reputation. If unnecessary data is removed prior to storage, then if a breach occurs, no consumer data is lost. Learn from your experts about encryption, firewalls, and access points – doing so will keep your business and reputation in the green.