The Compliance Calendar: How to stay on top of your security year-round

PCI DSS compliance is one of the most beneficial things that a company can do to ensure it remains protected in the war against data breaches. Achieving compliance will also ensure that a company maintains better working relationships with its clients, offering them peace of mind, and encourages staff into safe and reliable habits.

Although this used to be a case of undergoing assessment once a year to ensure a business is compliant, it’s now an ongoing task, with the introduction of PCI DSS 3.2, which calls for ongoing proof that a business is compliant.

It’s no longer enough to show that you comply every year when your assessment comes up, and with such a big change to the way PCI DSS works, the question arises – how can businesses make sure they’re ready for the next round of the regulations?

Pause and resume

Pausing the call and then resuming after the transaction has been completed would seem a good alternative to storing customer data as it means no data is recorded and so isn’t available in the company’s systems.

However, this means there isn’t an audit trail that the transaction took place and you would no longer be able to provide the information if required by the Payment Card Industry Security Standards Council.

Additionally, manual pause and resume systems are not considered as PCI DSS compliant because they could potentially be open to abuse by employees. Automated systems can be difficult to implement, with a lot of groundwork needed to identify when to pause and resume.

This method only takes the call recording out of scope, not the entire process of storing data, which still needs to be audited.

Descoping

The most effective way to ensure you aren’t chained to compliance is to descope entirely, meaning remaining compliant is no longer an issue.

Descoping from PCI DSS means removing all data from the contact centre, so there’s essentially nothing there for criminals to steal should they gain access to your network.

In a regular contact centre, whenever a customer offers their payment details, the contact centre operative is exposed to it, before the data is transferred via the voice network onto the computer of the employee, through the network onto virtual and physical servers.

All of this infrastructure is within the scope of PCI DSS and must therefore be protected as dictated as per PCI DSS.

However, take the entire process of customer verbally passing their payment details to the contact centre employee by using a system such as dual tone multi frequency (DTMF), where the details are never passed to people or stored within the company’s network and your business has a significantly reduced set of PCI DSS obligations.

What else can you do to ensure you remain compliant?

It’s critical that you to stay on top of any changes that might take place. You should acquaint yourself with the latest requirements and get them dialled in to your processes as soon as possible.

After all, the last thing you want to face is repercussions for failing to comply with new responsibilities when you’ve been diligently working to ensure that you comply with older ones.

Keeping on top of your antivirus and anti-intrusion software solutions should be a priority. Automating scans and penetration tests should also be high up on your list of priorities, given the fact that many malicious viruses and exploits enter networks from employee email activity.

You should also ensure that software updates are installed on a regular basis to plug holes and shore up vulnerabilities.

Making sure that you have staff with the latest knowledge and training you will be ensuring your continued PCI DSS compliance and, as a result, your ongoing success. After all, an estimated 60 per cent of all data breaches come by way of employees and corporate partners, so it is in your interest to make sure they understand their security responsibilities.

Tony Smith, Sales Director – EMEA, PCI Pal – www.pcipal.com

PCI DSS compliance is one of the most beneficial things that a company can do to ensure it remains protected in the war against data breaches. Achieving compliance will also ensure that a company maintains better working relationships with its clients, offering them peace of mind, and encourages staff into safe and reliable habits.

Although this used to be a case of undergoing assessment once a year to ensure a business is compliant, it’s now an ongoing task, with the introduction of PCI DSS 3.2, which calls for ongoing proof that a business is compliant.

It’s no longer enough to show that you comply every year when your assessment comes up, and with such a big change to the way PCI DSS works, the question arises – how can businesses make sure they’re ready for the next round of the regulations?

Pause and resume

Pausing the call and then resuming after the transaction has been completed would seem a good alternative to storing customer data as it means no data is recorded and so isn’t available in the company’s systems.

However, this means there isn’t an audit trail that the transaction took place and you would no longer be able to provide the information if required by the Payment Card Industry Security Standards Council.

Additionally, manual pause and resume systems are not considered as PCI DSS compliant because they could potentially be open to abuse by employees. Automated systems can be difficult to implement, with a lot of groundwork needed to identify when to pause and resume.

This method only takes the call recording out of scope, not the entire process of storing data, which still needs to be audited.

Descoping

The most effective way to ensure you aren’t chained to compliance is to descope entirely, meaning remaining compliant is no longer an issue.

Descoping from PCI DSS means removing all data from the contact centre, so there’s essentially nothing there for criminals to steal should they gain access to your network.

In a regular contact centre, whenever a customer offers their payment details, the contact centre operative is exposed to it, before the data is transferred via the voice network onto the computer of the employee, through the network onto virtual and physical servers.

All of this infrastructure is within the scope of PCI DSS and must therefore be protected as dictated as per PCI DSS.

However, take the entire process of customer verbally passing their payment details to the contact centre employee by using a system such as dual tone multi frequency (DTMF), where the details are never passed to people or stored within the company’s network and your business has a significantly reduced set of PCI DSS obligations.

What else can you do to ensure you remain compliant?

It’s critical that you to stay on top of any changes that might take place. You should acquaint yourself with the latest requirements and get them dialled in to your processes as soon as possible.

After all, the last thing you want to face is repercussions for failing to comply with new responsibilities when you’ve been diligently working to ensure that you comply with older ones.

Keeping on top of your antivirus and anti-intrusion software solutions should be a priority. Automating scans and penetration tests should also be high up on your list of priorities, given the fact that many malicious viruses and exploits enter networks from employee email activity.

You should also ensure that software updates are installed on a regular basis to plug holes and shore up vulnerabilities.

Making sure that you have staff with the latest knowledge and training you will be ensuring your continued PCI DSS compliance and, as a result, your ongoing success. After all, an estimated 60 per cent of all data breaches come by way of employees and corporate partners, so it is in your interest to make sure they understand their security responsibilities.

Tony Smith, Sales Director – EMEA, PCI Pal – www.pcipal.com