For any organization, helpdesk tickets are a pain. A necessary evil that often requires significant time and resources to resolve, which can strain a contact center's agents and operations. Some tickets are simple fixes, but other issues can be highly complex– requiring specialized knowledge or technical expertise, which may not always be available within the contact center's staff. However, in BPO contact centers, helpdesk tickets are about to get significantly more complex due to PCI DSS v4.0.
Agent identity is about to become much stricter due to the new requirements in PCI DSS v4.0. This is especially true for contact centers –specifically, those handling outsourced customer service– who will now experience significant friction if unprepared. The team at Twosense has broken down these changes in detail, but something that continues to be overlooked is the impact one particular requirement will have.
For many BPOs, outsourced customer service is a significant portion of their business. As such, many agents are working from applications owned by the customers. PCI DSS v4.0 Requirement 8.3.10 and 8.3.10.1 will require BPO contact centers to ensure the customer rotates the agent's credentials every 90 days. Requirements 8.3.10 and 8.3.10.1 explicitly place the responsibility for awareness, notification, enforcement of, and therefore liability for, credential rotation on the BPO.
8.3.10 Additional requirement for service providers only: If passwords/passphrases are used
as the only authentication factor for customer
user access to cardholder data (i.e., in any single-factor authentication implementation), then
guidance is provided to customer users including:
- Guidance for customers to change their user passwords/passphrases periodically.
- Guidance as to when, and under what circumstances, passwords/passphrases are to be changed.
8.3.10.1 Additional requirement for service providers only: If passwords/passphrases are used
as the only authentication factor for customer user access (i.e., in any single-factor
authentication implementation) then either:
Passwords/passphrases are changed at least once every 90 days, [...]
In simple terms, BPOs will be responsible for ensuring that their customers rotate their agent's credentials in accordance with PCI DSS v4.0.
This will be a nightmare. BPOs will be required to coordinate with their customer's security teams to ensure credentials are rotated–unless certain new requirement conditions are met– increasing the workload on the customer. This will also require agents to submit tickets to the customer's helpdesk, creating further congestion. Beyond the 90-day password rotations, should agents forget their password or lose their hard token required to access apps necessary to do their job, they will again have to go through the customer's helpdesk. Compounding this are the new requirements around password complexity with 12-15 characters, which will make credential reset tickets even more frequent.
However, hidden in PCI DSS 4.0 is the guidance necessary to overcome and mitigate the potential worst-case. In the extra sub-requirement for credentials for outsourced call centers and business process outsourcing (BPOs) specifically, PCI v4.0 provides a single path to a 1-year credential rotation period:
“[...] OR the security posture of accounts is dynamically analyzed, and real-time access
to resources is automatically determined accordingly.”
If you can show QSAs that the organization is dynamically assessing identity risk in real-time, this requirement can be relaxed and reduce rotation to once a year. The definitions here rely on NIST 800-207 Zero Trust Architecture, which states that the “dynamic policy” that governs access must consider “behavioral and environmental attributes” and “behavioral attributes include, but not limited to, automated subject analytics, device analytics, and measured deviations from observed usage patterns.” In short, if you can demonstrate to the QSA that you’re authenticating your agents in real-time based on behavior, you can avoid a painful situation for your customers’ IT helpdesk.
Twosense Continuous Multi-Factor Authentication does precisely this. With Continuous MFA, users’ recent behavior is continually and automatically analyzed compared to their behavioral biometric model. This means that multi-factor checks are being performed on users continuously throughout the day instead of waiting for the moment a user is authenticating to an application. This is how Twosense is able to meet the requirement of “having the security posture of accounts dynamically analyzed and real-time access to resources be automatically determined accordingly.” With this requirement met, you can relax credential rotation schedules to annual.
Continuous MFA enables contact centers to meet PCI DSS 4.0 compliance while mitigating potential complications associated with the upcoming changes. For BPOs looking to mitigate clogging up their customer's helpdesk and the responsibility of having to request every 90 days that their customers rotate agent's passwords, Continuous MFA is a must-have solution in its technology stack.