PCI DSS: Mail Order Telephone Orders (MOTO)
Updated: Jan 2, 2019
If you are taking card payments over the telephone, you owe it to both the Card Brands and your customers to ensure that the card details entrusted to you are protected from harm. However, where you rely on people interacting with spoken card data being typed through a keyboard, into an application, by a Call Agent you are increasing the potential of an insider exploiting their authorised physical access to these data processing environments and increasing the potential supporting systems being brought into scope. For example, if you need to balance customer service with security, you will need to consider ring fencing your call recording as most start/stop technologies are still not 100% reliable for ensuring cardholder data does not end up being stored in the audio recordings.
PCI DSS tends to be very technology focused, yet tends to be very light on threat and risk management. Consequently, appears to have overlooked the specific threats/risks associated with a human being having to manually key card data into a computer system's keyboard. Even if you look at the physical inspection requirements (9.9), this excludes the need to physically inspect the receiving PCs for signs of tampering or rogue devices.
Okay, so as a diligent Merchant or Service Provider you have done applied all the applicable PCI DSS controls, to the letter, but still are vulnerable to the insider threat. How can this be?
What if I was to tell you that for less than $50 you can purchase a device that can steal every key stroke your Call Agents enter into their keyboards. Image the value of the data being manually input through the keyboards, e.g. Usernames, Passwords, Payment Cards, etc.
Now imagine how this could be the perfect crime. PCI DSS requires physical access controls that logs the authorised physical access into the sensitive areas. This can be delivered through either CCTV or Automated Access Control (AACS), or a combination of both, to identify and record who may have accessed these sensitive areas. However, these records only need to be retained for a maximum of 12 months. Now your Call Agents have been subjected to vetting, before starting the role but many years down the line their circumstances have changed. Now they have developed a gambling, drinking or drug addiction that has lead them to getting into extensive debt. A criminal offers them the ability to easily clear that debt, just by fitting a handful of keygrabber devices into the back of the PCs, within the Call Centre.
These devices are placed into the keyboard port and the keyboard cable, so that even if you have locked down your ports they can still harvest data. The reality is that to enable manual keyboard entry, you need to enable the keyboard port. Consequently, this device sits there unnoticed until it is collected at the end of the week and as an example, a 16 Mb device can record upto 16,000 keystrokes (1 page = 3,000 characters).
If it's not the threat from your Call Agents, how about your building maintenance or cleaning personnel?
Fortunately, the risks are partially mitigated for the higher threat wireless connected devices with the 11.1 quarterly checks for wireless connected devices but the reality is, do businesses focus on carrying out wireless checks in their Data Centres (rather than the Contact Centres) and how much data can be lost during 3 months of wireless transmissions?
As part of your annual security awareness training, do you train your staff to carry out start up checks to look for these clandestine devices? If not, I would highly recommend that you start doing so.
If you are risk averse, you could consider the removal of the need to have a Call Agent manually input the cardholder data, through your keyboards, into the payment applications. Why not investigate the potential benefits of using a 3rd party Dual Tone Multi Frequency (DTMF) supplier, e.g. GCI, where the customer enters their card data directly into the payment application using their telephone keypad. They can still talk to you Call Agent, but you remove the need for the Call Agent to receive spoken card data and, as a result, in some instances it can remove the need for any of your IT systems or personnel needing to interact with your customers' payment information. Better for you and better for the customer!
With the potential increasing attractiveness and value of payment card data to criminals, along with the potential damage to your business, it has never been more important to reduce the potential attack vectors that you may be vulnerable to.
The relative low investment and technical knowledge needed with keygrabbers, increases the potential attractiveness for their use. When you see reports of stolen credit cards being sold for $890 on the dark web, having the ability to silently harvest these details for less than $50 per device increases the attractiveness of these devices for criminal use.