23
Jun
12

Call Centers And PCI Compliance

A big thank you to a reader for suggesting this post with a post to my Miscellaneous Questions page with a number of questions related to call centers.

Based on their questions, the first clarification that needs to be made is in regards to pre-authorization data.  In a call center environment where operators are taking orders over the phone and accepting credit/debit cards for payment, until the card transaction is either approved or declined, we are talking pre-authorization data.  Only cardholder data after authorization or decline (also known as post-authorization data) is covered by the PCI DSS.

However, as I have noted before, the card brands expect pre-authorization data to be protected with the same voracity as post-authorization data.  The PCI DSS can provide organizations with a guideline on how to protect pre-authorization data, but pre-authorization is not in-scope for PCI compliance.

That said, just because it is not in-scope for PCI compliance; do not think a QSA is not going to consider it.  Any good QSA should review the pre-authorization process and identify any issues that might be present that could result in the compromise of pre-authorization data.

“Do we need a “clean room?””

From a PCI compliance perspective, the answer is ‘no’, although there are a number of PCI requirements that would lead you to restrict what is in the actual call center.  However, best practice is to operate any call center handling potentially sensitive data in a ‘sterile’ environment.  That means clean desks, no personal items at the workstation, no paper and pens for writing things down, locked down workstations and other restrictions so that sensitive information is not leaked from the call center.

The idea for creating a sterile environment by banning cell phones and giving personnel lockers to secure their personal items is in line with what we see in call centers.  In addition, I think most call center organizations find that their clients require such approaches to ensure that their customers’ privacy and security is maintained.

In addition to all of the physical security, call center personnel need to be trained regarding security and privacy.  Call center personnel need to sign an agreement that says they acknowledge that they will be in contact with cardholder data and that the cardholder data is to be protected in compliance with the PCI DSS and other regulatory and legal requirements.

“Is it necessary to segregate our team responsible for taking credit card information?”

The PCI DSS does not require credit card handling call center personnel to be segregated from other call center personnel.  But again, best practice would be to put your credit card handling team together for a variety of other reasons.  Another best practice is to segregate call center teams that handle sensitive data from personnel that do not handle sensitive data.

“The PCI standard 3.3 is not very clear on the subject in my opinion.”

“ … however, parts of the standard seem to me very unclear.”

The first thing people responsible for call centers should do is read the PCI SSC’s FAQ (#5362) on call center recordings and PCI compliance.  The next thing they should do is read my postings on call center recordings.

Requirement 3.3 of the PCI DSS is very clear in my opinion.

“Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).”

What I am sure is confusing are the caveats surrounding this requirement.  The first caveat states that personnel with a business need to know can have access to the full primary account number (PAN).  These personnel are typically accountants that work chargebacks and disputes, not call center personnel.  In a call center environment, the system may display the PAN for customer confirmation purposes.  However, once the PAN is submitted for authorization, the full PAN must no longer be available and must be masked to the first six digits and/or the last four digits.

The second caveat is that where legal or regulatory conditions apply, requirement 3.3 is superseded by any legal or regulatory conditions.  The best example of this is that United States’ federal law mandates the last four digits of the PAN be displayed on a POS receipt.  However, this second caveat should not impact any call center as they do not generate any documentation that would be regulated.

“I know that there are system requirements.”

Another area where call centers can be at risk is the call center workstation.  The reason is that the workstation comes into contact with the cardholder data.  Depending on how the workstation is used and configured, will determine the level of security surrounding the workstation.

The big move in call centers today is to use virtual workstations either through Citrix, VMware or similar solutions.  In these situations, the workstation is just a display device.  The server creating the virtual desktops needs to be physically and/or logically segregated from other virtual servers.

The threat to a physical workstation in any environment is that a keyboard logger is installed to record everything typed into the physical workstation.  As a result, the physical workstation needs to have their system/event logs monitored and have anti-virus, anti-malware and critical file monitoring implemented.

Hopefully this answers a lot of the questions call centers have regarding PCI compliance.

About these ads

15 Responses to “Call Centers And PCI Compliance”


  1. October 8, 2014 at 3:15 PM

    Ok. I get call recordings and the storage. But the transmission is still unclear. More and more call centers have remote agents working from home. A call comes into them via a typical analog landline or perhaps the agent is using VOIP from a service provider like Comcast or Vonage. A customer speaks their PAN and CVV. We have had our security team state these agents must use analog landlines as VOIP is generally not encrypted over the public telephone network. What you say?

    • October 9, 2014 at 5:40 AM

      VoIP is a pain, but can be encrypted and that is what the call centers I work with are doing to secure it for remote operators. The remote operators are required to use a soft phone on a computer/terminal supplied by the call center, no personal gear allowed. They connect over an SSL or IPSec VPN to the call center’s network and then can send and receive calls. They are monitored like any other operator but are not allowed to operate as a remote operator until they have been “certified” by the call center to work remotely. That certification process can include working for a year or more as well as specialized training.

  2. 3 Syusakura
    September 14, 2014 at 9:57 PM

    hi PCIGuru..
    I just want to know since i am new to this PCI, what about the layout of office needed when complying with PCI. For example, do we need a isolated room or separated room to place the card swiper so there will be no leakage? another thing, when the organization changing their building or migrated to new places, what need to be complied by the organization?

    thank you for your time..

    • September 16, 2014 at 5:56 AM

      You need to ensure the physical security of the point of interaction (POI) or card terminal

      Properly configured, a POI should never “leak” card information because it does not store it. But that is the operative phrase, “properly configured”. I have encountered units from very reputable firms that need to be configured by the merchant so that the POI does not store cardholder data.

      There are people that swap out POI for a tampered with POI, so you should make sure that it cannot be changed out without someone’s approval and knowledge. This is why some merchants lock their POI down in a cradle. That may or may not always be possible. I have some clients that keep their POI in a locked drawer and only bring it out when needed.

      The bottom line is to use your best judgement and protect your POI as best you can based on your situation.

      • 5 Syusakura
        September 16, 2014 at 6:01 PM

        Thanks PCIGuru for answering my question.
        Another thing, sorry for asking more questions. It just that I dont really get understand, if we change our building, the rules is still the same right? We just need to ensure the safety of our POI, right? There is no such rules applied right?
        Thank you again.

      • September 17, 2014 at 4:56 AM

        You need to protect the point of interface (POI) regardless of how you configure your facility. If the POI is public facing as with a grocery, pharmacy or gas station, then you will likely have much more security than if you are using the POI in a mail order/telephone order (MOTO) situation where the public is not involved.

        Regardless, there will be some amount of security in any location to minimize the potential of POI tampering.

    • 7 Syusakura
      September 18, 2014 at 2:44 AM

      Ok, thank you PCIGuru for assisting me.

  3. 8 Charles Yamasaki
    August 26, 2014 at 1:48 PM

    PCIGURU, thanks. One other question…you mentioned the risk of malware, but what about the concern of Data Leakage with a more lenient Internet outbound policy? An example would be cardholder data potentially could be posted to a blog

    • August 27, 2014 at 5:27 AM

      No doubt about it. If an organization has outbound network traffic policies that allows access to just about anything on the Internet, it will not stop much of anything.

  4. 10 Charles Yamasaki
    July 9, 2014 at 10:51 PM

    Good info. Got a question as it pertains to Call Center staff members outbound access to the Internet and 1.2.1 – Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment. What is best practice? Should they be completely restricted to job function web sites and services only, or can they at least browse news, research, educational sites?

    • July 10, 2014 at 4:50 AM

      Most call centers restrict operator access to only those sites that are necessary for their job function. If you wish to provide access to news, research and education sites, that is up to your organization to establish that as your policy. However, you then increase the risk that your operator workstations could be infected by malware, so you might then want to consider using a file monitoring program to enhance your anti-virus solution to mitigate the risk.

  5. 12 Lorenzo
    May 20, 2014 at 6:11 AM

    You are mentioning that the threat to a physical workstation is a key logger, but is it not also a threat to a ‘virtual’ workstation??

    • May 20, 2014 at 7:04 AM

      Yes, a keyboard logger is a threat to the virtual workstation as well. The FIM and other controls on the virtual workstation can flag that issue and take the virtual workstation image out of service until the problem is addressed. That way the physical workstation can meet a reduced set of controls such as anti-virus, basic security hardening and current patching.

  6. April 24, 2014 at 8:44 PM

    It is imperative that the vendor has to properly inform and educate the call center agents about the importance of how to properly handle cardholder data. It is sensitive information and they wouldn’t want other people to handle their data in a haphazard way. This is another thing that vendors have to do to make sure that such information is kept as secure as possible.

    • April 26, 2014 at 7:00 AM

      Training of call center employees is a given and is covered in the requirements under 12.6. However that is the responsibility of the call center employer, not a vendor.

      Vendor security of call center equipment such as the call manager and call center applications is another story. With the advent of voice over IP (VoIP), call managers are just another server with the PABX applications running. Unfortunately, like cell phones and other embedded devices, once a vendor moves on to the next generation, the older PABX solutions are left by the wayside never to be upgraded. Given that most organizations desire 10+ years out of a PABX like they used to get, this means that there are a lot of organizations running older VoIP call managers that are very vulnerable to attack.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Announcements

FishNet Security is looking for experienced QSAs for their PCI practice. If you are an experienced QSA and are looking for a change, go to the Web site (http://www.fishnetsecurity.com/company/careers), search for 'PCI' and apply.

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

June 2012
M T W T F S S
« May   Jul »
 123
45678910
11121314151617
18192021222324
252627282930  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 967 other followers


Follow

Get every new post delivered to your Inbox.

Join 967 other followers

%d bloggers like this: