23
Jun
12

Call Centers And PCI Compliance

A big thank you to a reader for suggesting this post with a post to my Miscellaneous Questions page with a number of questions related to call centers.

Based on their questions, the first clarification that needs to be made is in regards to pre-authorization data.  In a call center environment where operators are taking orders over the phone and accepting credit/debit cards for payment, until the card transaction is either approved or declined, we are talking pre-authorization data.  Only cardholder data after authorization or decline (also known as post-authorization data) is covered by the PCI DSS.

However, as I have noted before, the card brands expect pre-authorization data to be protected with the same voracity as post-authorization data.  The PCI DSS can provide organizations with a guideline on how to protect pre-authorization data, but pre-authorization is not in-scope for PCI compliance.

That said, just because it is not in-scope for PCI compliance; do not think a QSA is not going to consider it.  Any good QSA should review the pre-authorization process and identify any issues that might be present that could result in the compromise of pre-authorization data.

“Do we need a “clean room?””

From a PCI compliance perspective, the answer is ‘no’, although there are a number of PCI requirements that would lead you to restrict what is in the actual call center.  However, best practice is to operate any call center handling potentially sensitive data in a ‘sterile’ environment.  That means clean desks, no personal items at the workstation, no paper and pens for writing things down, locked down workstations and other restrictions so that sensitive information is not leaked from the call center.

The idea for creating a sterile environment by banning cell phones and giving personnel lockers to secure their personal items is in line with what we see in call centers.  In addition, I think most call center organizations find that their clients require such approaches to ensure that their customers’ privacy and security is maintained.

In addition to all of the physical security, call center personnel need to be trained regarding security and privacy.  Call center personnel need to sign an agreement that says they acknowledge that they will be in contact with cardholder data and that the cardholder data is to be protected in compliance with the PCI DSS and other regulatory and legal requirements.

“Is it necessary to segregate our team responsible for taking credit card information?”

The PCI DSS does not require credit card handling call center personnel to be segregated from other call center personnel.  But again, best practice would be to put your credit card handling team together for a variety of other reasons.  Another best practice is to segregate call center teams that handle sensitive data from personnel that do not handle sensitive data.

“The PCI standard 3.3 is not very clear on the subject in my opinion.”

“ … however, parts of the standard seem to me very unclear.”

The first thing people responsible for call centers should do is read the PCI SSC’s FAQ (#5362) on call center recordings and PCI compliance.  The next thing they should do is read my postings on call center recordings.

Requirement 3.3 of the PCI DSS is very clear in my opinion.

“Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).”

What I am sure is confusing are the caveats surrounding this requirement.  The first caveat states that personnel with a business need to know can have access to the full primary account number (PAN).  These personnel are typically accountants that work chargebacks and disputes, not call center personnel.  In a call center environment, the system may display the PAN for customer confirmation purposes.  However, once the PAN is submitted for authorization, the full PAN must no longer be available and must be masked to the first six digits and/or the last four digits.

The second caveat is that where legal or regulatory conditions apply, requirement 3.3 is superseded by any legal or regulatory conditions.  The best example of this is that United States’ federal law mandates the last four digits of the PAN be displayed on a POS receipt.  However, this second caveat should not impact any call center as they do not generate any documentation that would be regulated.

“I know that there are system requirements.”

Another area where call centers can be at risk is the call center workstation.  The reason is that the workstation comes into contact with the cardholder data.  Depending on how the workstation is used and configured, will determine the level of security surrounding the workstation.

The big move in call centers today is to use virtual workstations either through Citrix, VMware or similar solutions.  In these situations, the workstation is just a display device.  The server creating the virtual desktops needs to be physically and/or logically segregated from other virtual servers.

The threat to a physical workstation in any environment is that a keyboard logger is installed to record everything typed into the physical workstation.  As a result, the physical workstation needs to have their system/event logs monitored and have anti-virus, anti-malware and critical file monitoring implemented.

Hopefully this answers a lot of the questions call centers have regarding PCI compliance.

About these ads

6 Responses to “Call Centers And PCI Compliance”


  1. 1 Charles Yamasaki
    July 9, 2014 at 10:51 PM

    Good info. Got a question as it pertains to Call Center staff members outbound access to the Internet and 1.2.1 – Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment. What is best practice? Should they be completely restricted to job function web sites and services only, or can they at least browse news, research, educational sites?

    • July 10, 2014 at 4:50 AM

      Most call centers restrict operator access to only those sites that are necessary for their job function. If you wish to provide access to news, research and education sites, that is up to your organization to establish that as your policy. However, you then increase the risk that your operator workstations could be infected by malware, so you might then want to consider using a file monitoring program to enhance your anti-virus solution to mitigate the risk.

  2. 3 Lorenzo
    May 20, 2014 at 6:11 AM

    You are mentioning that the threat to a physical workstation is a key logger, but is it not also a threat to a ‘virtual’ workstation??

    • May 20, 2014 at 7:04 AM

      Yes, a keyboard logger is a threat to the virtual workstation as well. The FIM and other controls on the virtual workstation can flag that issue and take the virtual workstation image out of service until the problem is addressed. That way the physical workstation can meet a reduced set of controls such as anti-virus, basic security hardening and current patching.

  3. April 24, 2014 at 8:44 PM

    It is imperative that the vendor has to properly inform and educate the call center agents about the importance of how to properly handle cardholder data. It is sensitive information and they wouldn’t want other people to handle their data in a haphazard way. This is another thing that vendors have to do to make sure that such information is kept as secure as possible.

    • April 26, 2014 at 7:00 AM

      Training of call center employees is a given and is covered in the requirements under 12.6. However that is the responsibility of the call center employer, not a vendor.

      Vendor security of call center equipment such as the call manager and call center applications is another story. With the advent of voice over IP (VoIP), call managers are just another server with the PABX applications running. Unfortunately, like cell phones and other embedded devices, once a vendor moves on to the next generation, the older PABX solutions are left by the wayside never to be upgraded. Given that most organizations desire 10+ years out of a PABX like they used to get, this means that there are a lot of organizations running older VoIP call managers that are very vulnerable to attack.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Announcements

FishNet Security is looking for experienced QSAs for their PCI practice. If you are an experienced QSA and are looking for a change, go to the Web site (http://www.fishnetsecurity.com/company/careers), search for 'PCI' and apply.

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response to too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

June 2012
M T W T F S S
« May   Jul »
 123
45678910
11121314151617
18192021222324
252627282930  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 912 other followers


Follow

Get every new post delivered to your Inbox.

Join 912 other followers

%d bloggers like this: