February 6, 2019
The Payment Card Industry Security Standards Council (PCI SSC) recently unveiled revised guidelines for protecting telephone-based payment card data. The new guidelines explore the potential risks and security challenges associated with telephone-based card payment environments, such as call and contact centers in financial institutions like banks, loan providers, and credit bureaus.
The updated guidelines also underscore the urgency for financial institutions to protect telephone-based payments in order to keep up with the ever-changing technology and regulatory landscape as well as to safeguard against rising fraud incidents.
As the guidelines haven’t seen an update since 2011, let’s shed some light on the key updates and how the strategies and technologies recommended within can help businesses across the financial services industry achieve and maintain PCI DSS compliance and reduce the risks associated with potential data breaches.
Consumers expect banks and other financial services companies to provide top-notch security when it comes to their personally identifiable information (PII). These companies gather some of the most sensitive data from customers, including credit card numbers, banking details, social security numbers, birthdates, addresses, credit scores, and more.
However, some of the largest and most devastating data breaches have involved financial service providers. In fact, the most recent financial services data breach at Equifax affected over 143 million accounts in the US.
Financial institutions depend on payment card data and other sensitive information in order to conduct business, but without the right security controls in place, customers’ sensitive data can be put at risk, and concurrently, put the business at risk as well. Data breaches, fraud, and theft (from both internal and external sources) are becoming more sophisticated, frequent and costly.
According to a study from 2018, the average cost of a single data breach is nearly $4 million, which includes missed business opportunities due to reputational damage. While PCI DSS intends to help in reducing these risks and protecting both businesses and their customers’ data, it often adds complexity to an already complicated Card Not Present (CNP) payment environment.
The highly anticipated new guidelines provide a much clearer path for financial service providers looking to ensure PCI DSS compliance and provide critical recommendations on new technologies and processes for securing payment card data taken over the phone.
Using voice recognition or keypad entry, these systems allow contact centers or financial services agents to take payments without recording card details. However, this can have an adverse effect on customer experience and engagement; customers often do not know how to correct miskeyed information and are likely to hang up the phone at the first sign of difficulty. This means they end up giving their payment details to an agent rather than a machine, thus exposing the agent to sensitive information.
IVR systems can also increase average handling time (AHT) and reduce first contact resolution (FCR), both of which can negatively impact the customer journey and increase contact center costs.
Pausing the call recording the moment a payment is taken is often a suggested way for contact centers to comply with the PCI DSS. However, both the agent and their desktop computer are still within scope for PCI DSS – the agent hears and inputs the information, which passes through the network infrastructure.
In addition, pause and resume solutions are prone to failure, especially if they are manually operated by an agent who may forget to pause the recording and accidentally log sensitive data. Manually operated pause and resume systems also require additional controls outlined in the new guidelines.
Many organizations believe that encrypting their call recordings will manage the risks of storing Sensitive Authentication Data (SAD). However, PCI DSS explicitly prohibits the storing of SAD (including CVC2 and CVV2 security codes which should not be stored under any circumstances, even if encrypted).
Removing customers’ payment card data, as well as other PII from the contact center altogether, is the only secure solution.
The updated guidelines recommend scope reduction techniques and technologies, including managed and unmanaged Dual-Tone Multi-Frequency (DTMF) masking solutions, to entirely remove cardholder data from the contact center environment.
Using DTMF masking technology, financial service agents can have customers enter their payment card information directly into their telephone keypad while remaining in full voice communication throughout the process.
The DTMF key tones are then masked with flat tones, rendering them indecipherable on the receiving end and on call recordings. This alleviates the need for solutions like pause-and-resume, or stop/start recording, providing a more seamless and secure way for financial institutions to process sensitive card data.
With DTMF masking technology, financial service providers can simplify PCI DSS compliance and avoid hefty noncompliance fines, all the while safeguarding data, maintaining customer trust, and reducing the risk of a reputation-damaging data breach.
As the number of digital transactions grows every day – digital payments are expected to hit 726 billion by 2020 – so does the amount of fraud. The risk to financial institutions of suffering a data breach has never been greater; the consequences can be far-reaching, resulting in monetary penalties and more often than not, irreparable damage to a brand’s reputation. In the decade between 2007 and 2017, banks around the world have paid about $321 billion in fines as regulators stepped up scrutiny. North American banks accounted for nearly 63% of the total fines, or about $204 billion, during 2009–2016.
While compliance with the PCI DSS does not ensure foolproof protection against a data breach, taking the steps outlined in the standard can greatly help to reduce the risk of one.