Payment Card Industry Data Security Standard with Amazon Connect couldn’t be easier to achieve. Here we will explore what the criteria is and how it can be met.
What is Payment Card Industry Data Security Standard?
Payment Card Industry Data Security Standard or PCI DSS is a standard that is administered by the PCI Security Standard Council which was developed by Amex, Discover, JCB, Mastercard and Visa. It is a standard that all entities are required to adhere to if they store, process or transmit CDH.
Why is it more important than ever to be Payment Card Industry Data Security Standard compliant?
This year (2020) has been a huge year for technology adoption, with some saying the growth in this year alone would normally equate to 6 or 7 years. PCI DSS payment systems are getting a lot of traction this year because of the sharp increase in homeworking. And homeworking introduces a new risk that payment data such as PAN or CVV is not being handled correctly, processed or even transmitted.
Whilst there is no specific mention of telephony in the standard, it does apply because payments are being made over the phone or more specifically the payment is processed by IVR. The act of processing the payment and collecting the PAN and CVV over the phone means it’s in scope.
Cost of PCI DSS
Sadly, many Contact Centres still take the risk of not adhering to PCI DSS. The reason for this is that it can be an awfully expensive standard to adhere to. If the Contact Centre chooses to make PCI DSS in scope, then here are some examples of how to be compliant:
- Protect the environment by using firewalls\ DMZ
- Configure access methods to prevent unauthorised users’ access.
- Ensure a strong password policy and use MFA where possible.
- Keep your systems patched to the latest releases.
- Ensure Anti-Virus is up to date.
- Encrypt any transmitted data. This includes any telephony media streams and or any APIs that process the payment.
- Track all access to systems holding data that is in scope for PCI DSS.
- Document Penetration Testing.
- Complete regular audits of all areas subject to PCI DSS. Repeat this process every 6-12 months. This is best achieved by bringing in an independent third-party auditor.
- Document all the above measures and ensure it is update.
What is the implication of fraud?
The industry bears the brunt of these costs with an estimated cost of £620 million in the UK alone. This is set to increase substantially in 2020 and going forward.
However, is this the only real impact to payment fraud? Well, we know there is a much bigger risk where if a breach escalates and becomes public then the damage to the service provider is much more harmful (Talk Talk found out the hard way – click here). Customers payment data is then subject to be reused for further fraud, scam calls, credit ratings are affected and in some cases, identify theft can occur.
Areas of vulnerability in the payment process
- Customers may enter PAN or CVV using DTMF when the IVR system asks the caller to enter the details. This media stream between customer and the IVR needs to be encrypted to prevent anyone or anything listening in (even at the network layer).
- Customers may speak their PAN or CVV when the IVR system asks the caller to enter the details. As above the media stream between customer and IVR needs to be encrypted to prevent anyone or anything listening in. Additionally, the media stream from IVR to the system that interprets the voice also needs to be configured in such a way that the Media Stream is encrypted and the PAN and CVV is never logged out.
Agent led Payment
- The media\audio stream between the customer and the agent needs to be encrypted\protected.
- Some companies allow an advisor to openly ask the customer for their PAN and CVV. The risk is that the employee could write the numbers down. It’s even been known for the PAN and CVV to be remembered.
- Call recording software could also record the customer or agent collecting\entering the PAN and CVV into the payment system. Pause and resume systems require the customer service advisor to invoke the service or there need to be complex integrations to make the transactions 100% secure.
Legacy Payment Card Industry Data Security Standard Solutions were complex and costly.
PCI DSS solutions have been around for some time. However, they have historically been very complicated and they also required significant investment.
The standard solutions typically were DTMF suppression and or pause and resume. Here is some information on how they worked:
Legacy DTMF suppression.
The legacy DTMF suppression solutions worked by telephony lines first going into private data centre hosted by the PCI provider. This Data Centre would have controls and features to manage the suppression. From here, the telephony lines would then go off to the end client’s PBX – but be aware all lines to the business had to go through the PCI DSS data centre as there is no way to predict what lines the payments will be made from. When the IVR or the advisor was about to request PAN or CVV, a signal (typically a DTMF pattern like #388*) would be sent down the telephony line. The PCI DSS data centre would then invoke DTMF suppression making it impossible for the data to be stored, heard or written down. this system worked well but were complex, costly and if the end client required DR there were further implications to consider.
Pause and Resume
This solution was required to prevent sensitive data being recorded and stored on the call recording platform. The solution required integration with the recording platform (assuming APIs were available).
BEWARE – Impact of Covid19 on PCI DSS.
Covid 19 has forced employees to work from home with little warning or time to adapt. The concern here is that if you do not have a PCI DSS solution in place it would be possible for advisors to write down the PAN and CVV in a notebook before entering it into the system. This data could then be lost or stolen putting the service provider at huge risk.
Let’s de-scope Payment Card Industry Data Security Standard with Amazon Connect.
For IVR payments:
- Amazon Connect itself is PCI DSS compliant out of the box – see here for details.
- In Amazon Connect ensure that you have turned off logging for the call flow that takes PAN and CVV.
- If your CX strategy permits, only use DTMF to collect PAN and CVV.
- Ensure that your Amazon whitelisting is tightly managed.
- Limit the number of users that can access each of the AWS services.
- For all users of the AWS services use MFA.
Agent led Payment:
With Amazon Connect it is possible to completely descope and remove PCI DSS.
Option One, is to mask the DTMF tones the caller presses when entering PAN and CVV and simultaneously have those digits to be populated automatically (masked of course) on the agent screen. By doing this you completely remove the risk of an advisor writing down or memorising the card details.
A second option, available through our partner SVL is to take the payment away from the telephony channel and divert the caller to another channel like the web to complete the transaction.
What does the Payment Card Industry Data Security Standard commercial structure look like with Amazon Connect?
Amazon Connect works on a pay as you consume model. Subsequently any additional services that need to be added to support Amazon Connect typically also are consumed in same way. PCI DSS offerings from Route One Connect also work in line with the payment mechanism that Amazon Connect works and depending on what option you choose is charged on a per transaction basis.
Let’s wrap this up…
In short, given the cost to implement PCI DSS now with a modern PAYG system why run the risk of getting caught? The damage to your brand, your customers well-being and general trust will be hit hard. Reach out to us and we can show you how a modern contact centre system looks, feels and at the same time will descope PCI DSS. Get in touch here!