Necessary Evil
Maintaining cardholder data security is one of the top priorities in a call center environment. It is also incredibly difficult, oftentimes putting IT teams between a rock and a hard place. Finding the balance between security and efficiency while maintaining PCI DSS standards is oftentimes easier said than done, often requiring sacrifices due to budget, friction, and limited technical capabilities.
Most Common PCI DSS Reasons For Failure
While we don't specialize in these particular areas as a vendor, we feel that it is important to understand PCI DSS requirements as a whole. We have compiled a list of some of the most common issues that occur during a PCI DSS audit that can and will render an organization non-compliant.
According to Carbide Secure, one of the most common PCI DSS failures is – Assuming That Compliance Doesn’t Apply To You: “Many merchants assume that how they take or store payment card information makes them exempt from PCI DSS compliance without realizing that the standard applies to any transaction, transmission, or storage of payment card data. If you take payment card information by word of mouth and input it into a system to be stored, that is still being transmitted via a network through your bank.”
Jeremy Lacy, a senior consultant, and QSA subject matter expert also shared some insights into common PCI DSS failures in an article written for Forbes that highlights the importance of:
- Network Configurations
- Network Segmentation
- Data Encryption
- Basic Configurations
- Physical Security
- Policies and Procedures
These common areas of failure boil down to two key things: a lack of understanding of the controls required, and infrastructure that is either not functioning properly or is misconfigured.
A New Focus on Authentication
If you have reviewed the most recent PCI DSS requirements in v4.0, you are well aware that the PCI SSC is doubling down on the importance of multi-factor authentication.
Now is the time to review the updated MFA requirements before PCI DSS 4.0 takes effect in March 2024. Two notable differences in 4.0 vs 3.2.1 is increased password scrutiny, which often falls into the basic configuration category when it comes to adults. Password complexity has become stricter in PCI 4.0 but rotation requirements have relaxed. What this means is that you’ll need to enforce at least 12 but probably 15 character alphanumeric passwords. These will rotate once a year, rather than once a quarter.
For outsourced contact centers and business process outsourcing (BPOs) specifically, there are additional sub-requirement for credentials, which you can read more about in our PCI DSS 4.0 article here.
The number one cause of MFA noncompliance that can cause an audit failure is improper configuration.
Common MFA Mistakes
The most common mistake with MFA is misunderstanding what is meant by “multi-factor authentication.” Some BPO call centers implement two different passwords, or a password and a knowledge-based-authentication question like “what was your childhood pet?” While these are technically multiple factors, the fact that both are “something you know” means that they don’t qualify as true MFA.
Similarly, some organizations set up multiple factors that can be compromised simultaneously. An example of this is email-based multifactor. If an attacker gains access to a user’s password and can access their workstation where email is already logged in, they have easy access to any multifactor PIN that gets sent to the user’s inbox.
Another requirement that’s easy to miss is session timeouts. PCI requirement 8.2.8 mandates that any session that has been idle for more than 15 minutes must automatically time out and require re-authentication. For organizations that require users to log into multiple systems throughout the day, those re-authentications can be time consuming and frustrating enough that security teams never get around to enforcing them.
Documenting Best Practices
There are some best practices that any organization can and should be practicing already and will set you up for success in the future.
Ensuring that you have internal policies and procedures is one. This may seem like an obvious must but has been known to fall through the cracks. Lacy breaks down exactly what this means in his article written for Forbes:
“To achieve PCI compliance, your company must draft a detailed Information Security Policy (there is a whole section covering the requirements for that policy) and a complete set of policies to document secure practices across the systems environment, including documentation for antivirus, network configurations, physical security, and more. Then, you also must create step-by-step procedure documentation that details all processes carried out in the systems environment. Finally, someone that is qualified (e.g., CIO, IT director, security manager) must review and date stamp the documents annually to ensure the documents stay current.”
A similar best practice that is often overlooked within the policies and procedures process itself is documenting significant changes. Experts recommend that every organization defines what constitutes “significant” and documents that clearly within their policies. It should detail how to implement said policies to the cardholder data environments.
Don't Gamble With Compliance
Non-compliance comes with some pretty serious repercussions. When it comes to an organization's brand, failing to maintain compliance could cause significant harm to their reputation.
Loss of the ability to accept credit cards is also a risk that organizations take if they are not diligent about maintaining compliance. The inability to process credit card transactions would be detrimental to most organizations, and an inconvenience many would not survive.
The final, and possibly most thought of damage, would come in the form of fines. Non-compliance fines can range anywhere from $5,000 to $100,000 per month until compliance is obtained. These fines do not include the cost of remediation, any potential infrastructure updates that might be necessary, or the cost of having a Qualified Security Auditor (QSA) evaluate your current structure, which can often cost upwards of $100,000 alone.
Ultimately, when it comes down to maintaining PCI DSS compliance, being proactive is a must. There is a surplus of vendors providing services that run the gamut when it comes to consulting and solutions. Finding a partner that is able to address your particular needs and supplement experience where teams may be limited is one of the best approaches to ensure company systems, policing, and procedures are up to standards.