Call Centers and PCI Compliance

Thursday, June 28, 2012

PCI Guru

Fc152e73692bc3c934d248f639d9e963

A big thank you to a reader for suggesting this post with a post to my Miscellaneous Questions page with a number of questions related to call centers.

Based on their questions, the first clarification that needs to be made is in regards to pre-authorization data

In a call center environment where operators are taking orders over the phone and accepting credit/debit cards for payment, until the card transaction is either approved or declined, we are talking pre-authorization data. 

Only cardholder data after authorization or decline (also known as post-authorization data) is covered by the PCI DSS.

However, as I have noted before, the card brands expect pre-authorization data to be protected with the same voracity as post-authorization data.  The PCI DSS can provide organizations with a guideline on how to protect pre-authorization data, but pre-authorization is not in-scope for PCI compliance.

That said, just because it is not in-scope for PCI compliance; do not think a QSA is not going to consider it.  Any good QSA should review the pre-authorization process and identify any issues that might be present that could result in the compromise of pre-authorization data.

Do we need a 'clean room?'

From a PCI compliance perspective, the answer is ‘no’, although there are a number of PCI requirements that would lead you to restrict what is in the actual call center.  However, best practice is to operate any call center handling potentially sensitive data in a ‘sterile’ environment. 

That means clean desks, no personal items at the workstation, no paper and pens for writing things down, locked down workstations and other restrictions so that sensitive information is not leaked from the call center.

The idea for creating a sterile environment by banning cell phones and giving personnel lockers to secure their personal items is in line with what we see in call centers.  In addition, I think most call center organizations find that their clients require such approaches to ensure that their customers’ privacy and security is maintained.

In addition to all of the physical security, call center personnel need to be trained regarding security and privacy.  Call center personnel need to sign an agreement that says they acknowledge that they will be in contact with cardholder data and that the cardholder data is to be protected in compliance with the PCI DSS and other regulatory and legal requirements.

Is it necessary to segregate our team responsible for taking credit card information?

The PCI DSS does not require credit card handling call center personnel to be segregated from other cal center personnel.  But again, best practice would be to put your credit card handling team together for a variety of other reasons. 

Another best practice is to segregate call center teams that handle sensitive data from personnel that do not handle sensitive data.

The PCI standard 3.3 is not very clear on the subject in my opinion…  however, parts of the standard seem to me very unclear

The first thing people responsible for call centers should do is read the PCI SSC’s FAQ (#5362) on call center recordings and PCI compliance.  The next thing they should do is read my postings on call center recordings.

Requirement 3.3 of the PCI DSS is very clear in my opinion.

Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed)

What I am sure is confusing are the caveats surrounding this requirement.  The first caveat states that personnel with a business need to know can have access to the full primary account number (PAN).  These personnel are typically accountants that work chargebacks and disputes, not call center personnel. 

In a call center environment, the system may display the PAN for customer confirmation purposes.  However, once the PAN is submitted for authorization, the full PAN must no longer be available and must be masked to the first six digits and/or the last four digits.

The second caveat is that where legal or regulatory conditions apply, requirement 3.3 is superseded by any legal or regulatory conditions.  The best example of this is that United States’ federal law mandates the last four digits of the PAN be displayed on a POS receipt.  However, this second caveat should not impact any call center as they do not generate any documentation that would be regulated.

I know that there are system requirements

Another area where call centers can be at risk is the call center workstation.  The reason is that the workstation comes into contact with the cardholder data.  Depending on how the workstation is used and configured, will determine the level of security surrounding the workstation.

The big move in call centers today is to use virtual workstations either through Citrix, VMware or similar solutions.  In these situations, the workstation is just a display device.  The server creating the virtual desktops needs to be physically and/or logically segregated from other virtual servers.

The threat to a physical workstation in any environment is that a keyboard logger is installed to record everything typed into the physical workstation.  As a result, the physical workstation needs to have their system/event logs monitored and have anti-virus, anti-malware and critical file monitoring implemented.

Hopefully this answers a lot of the questions call centers have regarding PCI compliance.

Cross-posted from PCI Guru

Possibly Related Articles:
20423
PCI DSS
Information Security
PCI DSS Compliance QSA Credit Cards Authorization Data Protection PAN Call Centers
Post Rating I Like this!
35d93e1eda881f6e3dde4e87428a975e
Michael Johnson That means clean desks, no personal items at the workstation, no paper and pens for writing things down, locked down workstations and other restrictions... The idea for creating a sterile environment by banning cell phones and giving personnel lockers to secure their personal items is in line with what we see in call centers.

That initially appears desirable, but taking it to that extreme could further demoralise call centre employees, you'd end up with a higher staff turnover, and an environment with a higher staff turnover and low morale is even more vulnerable to social engineering and insider threats.
1340979824
Fc152e73692bc3c934d248f639d9e963
PCI Guru It is only demoralizing if you treat it as demoralizing. I think most normal people understand the reasons for this approach if they are properly explained in a rational and non-condescending way.
1341153248
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.