Click here to get this post in PDF
An integral component of any business is the security of client’s sensitive data spoken and recorded over the phone. Fortunately, you don’t need in-depth cybersecurity knowledge to protect call recording data.
Securing your call recordings and removing the portions of them with sensitive customer data within them is the purpose of PCI DSS compliance. To simplify the process, businesses can deploy a PCI DSS-capable call recording solution.
PCI DSS stands for Payment Card Industry Data Security Standard. To better understand what’s involved in making your call recordings PCI DSS compliant, let’s look at 12 actions your company should take right now.
PCI DSS Compliance
PCI DSS compliance isn’t just an enhancement to the security of your customer’s financial data, it’s a legal requirement your company can be fined for not meeting. PCI DSS compliance revolves around information protection, data reduction, and security.
Hackers don’t need to get physical to steal customer data from your company. If your business has lax protection standards, thieves can steal customer data like credit card numbers from a remote location.
Your business needs to restrict physical access to its call recordings.
PCI DSS compliance checklist at a glance
- Use firewall protection
- Configure passwords and security settings
- Protect stored cardholder data
- Redact Cardholder Data (PANs)
- Regularly update anti-virus software
- Regularly update systems
- Restrict access to cardholder data
- Assign unique IDs
- Restrict physical access to the workplace
- Keep Audit Trails
- Conduct penetration tests
- Create security documentation
1. Use Firewall Protection
PCI DSS is principally about security for customer data, and that means building strong firewalls. Firewalls restrict incoming and outgoing network traffic. Companies that favor high speed over powerful security put their customers and their revenue in jeopardy.
One of the jobs of firewalls is to protect your customer transactions.
Hardware-based firewalls offer more layers of security, but they can be complicated to set up and take more time to deploy. Software firewalls are easier to implement but are more susceptible to infiltration.
An effective solution is to use a combination of both hardware and software to deploy your firewall.
2. Configure Passwords and Security Settings
Once you implement a firewall, avoid using factory settings. Customize your configuration to close any port that needn’t be open and set up robust authentication protocols like 2FA.
Modern data thieves will take the time to learn what kind of hardware and software their target uses. This gives them an advantage in discovering security gaps and weaknesses.
One security measure you can take to protect customer data is to store your call data offsite, encrypted, in the Cloud, The firewall protects the network and employee infiltration, Cloud encryption leaves nothing for thieves to find even if they pass the firewall.
3. Protect Stored Cardholder Data
Cardholder data is the focal point of many cyber-attacks on businesses. Data breaches are an unfortunate reality of modern commerce, but encryption makes it possible to protect against customer data exposure even in the event of a breach.
Your business needs to encrypt its stored cardholder data using the strongest possible algorithm available (256-bit AES is the highest standard available).
4. Redact Cardholder Data (PANs)
Cardholder data, also known as Personal Account Numbers (PAN) needs to be removed from your recorded customer transactions. This is maybe the most important component of any PCI DSS compliance plan.
PANs are prized by cyber-thieves because when uncovered, they can easily be used to make purchases until the PAN owner of their financial establishment figures out an unauthorized party is using the PAN. And these numbers can be stolen from multiple locations like:
- Backup servers
- Third parties that handle PANs
- Outsourced management systems
- Corporate offices
Ideally, you’ll want to ensure that your establishment is never the source of a PAN breach. Many companies keep PANs stored on their networks which is why they’re constantly attacked. But even ending this practice is not enough.
Your company may take PANs over the phone. That credit or bank card number gets recorded and often transcribed into your quality management system, making the PAN vulnerable to attack. The good news is that modern call recorders employ AI to recognize and scrub the PANs from recordings and transcripts. This is known as PCI masking or PCI redaction and it is a must for any company doing financial transactions over the phone.
5. Regularly Update Anti-Virus Software
Malware is a very real threat to your company data. Malware attacks often happen over time, sitting dormant until their programming activates them. Dormant malware may already be on your network without you even knowing.
Your IT personnel should be regularly checking for malware and viruses using up-to-date threat data. Many robust malware and virus detection systems are available as subscriptions.
You’ll want to invest in a regularly updated security platform that can be deployed anywhere your employee’s work (on-site, mobile, etc.).
6. Regularly Update Systems
Compliance and security go hand-in-hand. One place security is often compromised is in the employee’s PC. Failing to update your employee software leaves a door that cyber-thieves regularly walkthrough.
Update and test your systems on a schedule. Wherever possible, deploy an evergreen solution that is self-updating and won’t consume IT resources.
With regular system updates, you reduce the chances of hackers stealing your data. System aspects that require constant patching are:
- Operating systems
- Internet browsers
- Application software
- POS terminals
Communicate with software vendors regarding updates and patches. Assume anything you know about a pending update to a software component is also something an infiltrator knows. Staying ahead of the threat is crucial.
7. Restrict Access to Cardholder Data
With a proper system in place to manage external threats, the next step is to turn your security efforts inward. Customer data moving within your organization can be jeopardized when it’s handled by more people than necessary.
Employing role-based control access(RBCA) to grant specific individuals with different levels of access to sensitive data.
To start, define and maintain a list of the employees that details their data privileges. The list should describe the exact role and purpose of each employee’s access. Dedicate a person to maintaining the list so that it remains updated as employees move in and out of the company or laterally through departments.
8. Employee Security
Most employees enjoy the convenience and unfortunately too many winds up engaging in something called “Shadow IT”. This occurs when they use technology not provided by the company (cellphones, laptops, etc) to connect to the company network or worse, carry out company business.
In other instances, employees wind up sharing data privileges when they let another employee use a login and password not assigned to them. These practices add up to gaping holes in your security that can be exploited.
Tackling this internal threat requires diligence in the following areas.
Password policy & authentication
Set a strict code for the use of passwords, and employ higher authentication standards like 2-Factor Authentication (2FA) for critical data access.
Company Devices and VPNs for mobile employee
Dispersed workforces and work-from-home employees most often rely on personal equipment. Issuing company computers or phones is an optimal solution, and when that’s not available, supplying the employee with a VPN alleviates many security issues with home-based internet connections.
Sealing security gaps within the company is as important as bolstering your outer defenses.
9. Restrict Physical Access to the Workplace
PCI DSS requires your company to build and maintain physical access restrictions and practices for your place of business. You should have a procedure to list employee and visitor access that is detailed and auditable. Any on-site storage of customer data should be in a physically secure location.
Restricting physical access to your workplace becomes even more important with the advent of “social engineering” Social engineers forego the relative safety of remote infiltration and instead try to make physical contact with your employees. Some attempt nearby access of your employee’s devices.
Others are bolder and attempt to engage the employee.
Crafting a policy that holds the employee accountable for data security may work on paper, but in practice, it’s better to have a system in place that encrypts your data to the point that even if obtained, it is useless to a hacker.
Take for example one of your most data-rich assets, your call recordings. Customers regularly divulge PANs, social security, and national insurance numbers on the phone. Using a call recorder that digitizes and encrypts each recording for offsite storage essentially neutralizes the threat of having any customer data exposed through social hacking.
10. Keep Audit Trails
A PCI DSS violation alleged during a dispute can carry heavy fines. Your customer records need to be detailed with time-stamps, agent identification, and as many angles of proof as you can provide.
Specifically, pay attention to the details gathered during your customer phone interactions. Many disputes arise based on what was said between customer and agent during a phone interaction.
Combining a call recorder that extracts metadata like time-stamps with a screen recording of your agent’s desktop can provide multiple levels of visibility during an audit. This can reveal a PCI DSS compliance failure before a dispute occurs and allow you to correct the situation proactively.
11. Conduct Penetration Tests
Your organization should regularly conduct penetration tests. Many reputable services will carry out penetration tests on your network to highlight security gaps and vulnerabilities.
Finding these critical flaws helps you close doors that lead to your customer data. Your efforts to eliminate vulnerabilities should be comprehensive. For example, some companies have multi-tenant designs with customer service centers spread across different locations. The same company might also have dispersed employees working from home.
For a moment, think like a data thief. To quickly lay hands on the kind of data you can use or sell, you’ll look for the simplest way in. The larger and more diverse the network, the harder it is for a company to defend. So think like the way an infiltrator would and focus on every place you have employees talking to customers. Every inch of that should be tested for vulnerabilities.
Again, a great way to stay compliant and mitigate threats is to use a company-wide customer interaction solution that encrypts data offsite in the cloud. When it comes to PCI DSS compliance, cloud-stored data that’s both redacted and encrypted is neither an easy nor tempting target for hackers. But also make sure your cloud storage solution is regularly penetration-tested.
12. Create Security Documentation
Finally, you want to use security documentation. This document should be a detailed process manual for employees. It must contain any necessary material for the safe handling of your client’s data. The documentation will vary based on the size of your business and its technical complexity.
The bottom line is your company is responsible for training its employees in the compliance process with PCI DSS and any other regulation your industry is subject to.
One great way to supplement your employee security manual is to use your phone recordings to demonstrate best practices with your customers. You can point out common mistakes agents make and also give a concrete example of an agent successfully carrying out their security protocols.
After you fulfill this requirement, your business becomes compliant with PCI DSS.
Understandably, taking measures to become PCI DSS-compliant can seem overwhelming. It might seem that ensuring cybersecurity could distract from your efforts to grow your company.
The Atmos solution by CallCabinet offers a streamlined path to PCI DSS compliance as well as a litany of other compliance laws companies face. Atmos can manage and centrally administrate your call compliance needs no matter the size of the physical makeup of your operation.
Reach out to us today to learn about how Atmos can solve your compliance, customer service, agent training, and business intelligence needs in one platform.
You may also like: Securing Your CDE & Obtaining PCI DSS Compliance