If you accept, process, store or transmit credit card information, you must be Payment Card Industry Data Security Standard (PCI DSS) compliant. Every Sitel Group contact center involved in such activities is PCI compliant, but what is PCI DSS compliance and how does a company ensure it meets the requirements?
Simply put, understanding PCI compliance means understanding and applying a set of six security objectives agreed and enforced by the Payment Card Industry Standards Council (an organization founded by the leading card providers including MasterCard and American Express). These objectives must be constantly maintained and monitored to ensure credit, debit and prepaid card transactions and associated data, including account numbers, cardholders’ names, card expiration dates or service codes are secure.
The first step on the PCI compliance checklist is making sure there is a firewall in place scanning every device in the building connected to the internet so that cardholder data is protected. This firewall must also limit inbound and outbound traffic to that which is necessary for transactions.
In addition to the network; devices and applications must also be secure. This means ensuring no equipment provided by a vendor or other third party uses a default password or security system – this information could be discovered easily by hackers, for example, looking to gain unauthorized access to the system. Therefore a company needs to develop and apply its own best-practice security standards for all components – be they operating systems or point-of-sale terminals.
Just as with protecting a password for a web-based service, all data relating to the cardholder needs to be hashed and masked for PCI compliance. Storage of this data has to be kept to a minimum and a clear process established for handing and deleting it. What’s more, a company must ensure that when this data is transmitted, it is fully encrypted and never sent over an open network or via channels such as SMS or email.
Any system – including servers and employee desktops – that could be affected by malware must be protected by up-to-date, best-of-breed anti-virus programs and up-to-date operating systems and associated applications – this means proactively monitoring and installing all patches.
Alongside antivirus programs, PCI compliance means all systems and applications need to be secure; this requires constant monitoring for vulnerabilities and defining a clear process for identifying and mitigating potential risks. It also means that all employees on the network, whether they handle cardholder data or not, have the necessary security training so they keep the network safe.
This point on the PCI compliance checklist is about restricting access to any system that stores data to those that need it and only when they need it. Everyone accessing the system has a unique ID, plus a password and a unique level of clearance, so that they can only access the information that is directly pertinent to the task in hand.
All passwords need to be updated at least every 90 days for security while systems also need to be protected with measures including automated lock out if a user attempts to log on multiple times, and automatic timeouts if a session is open past a certain amount of time, for example, if a session starts and then is idle for 15 minutes, that user is logged out and the session has to start again from scratch.
Beyond digital, physical access must also be tightly controlled. Sensitive areas of the premises – such as where servers are stored – need to be monitored by camera. There has to be a secure point of entry and exit into the building where all people that arrive, staff and visitors, are logged and given passes that indicate who they are and restrict the parts of the building they can access based on their role or their reason for visiting. For the same reason, all media and smartphones need to be surrendered before entry.
If a building receives a lot of visitors or has a large number of employees, regular device inspections are necessary where all work terminals and other equipment connected to the network are examined to check for signs of tampering or misuse.
All access to network resources and cardholder data must be tracked and audited in case there are any discrepancies. In turn, these audit trails must be secure so they can’t be edited or altered. Meanwhile, logs relating to security events and systems that store cardholder data have to be reviewed every day.
Alongside audits and activity reviews, internal and external network vulnerability scans need to be carried about at least four times a year and immediately after any change to the network such as a software upgrade.
None of the above objectives can be met unless there is a clear policy in place that everyone understands and can follow to ensure they do their jobs in line with the regulations. However, the policy itself is just one part of the puzzle; everyone that works for a company that handles and processes cardholder data needs to see security as business-as-usual.
Therefore training is necessary so that all employees understand PCI compliance and understand their roles and responsibilities in protecting sensitive data and following best practices. As with network testing or monitoring, training should be an ongoing process.