Telephone based payments: Hasta La Vista Baby!
Updated: Dec 5, 2018
Despite the fact that consumers are losing confidence in just how much respect businesses are affording to protect their personal and sensitive information, we are still seeing numerous reports of large scale data breaches, e.g.
These organisations have become very proficient at 'ticking the box' for compliance but appear to struggle with identifying the complete data flows and interactions with systems and people. Contrary to this, Cyber criminals have become very proficient at identifying the gaps, often overlooked by such businesses. They understand the true value of this sensitive data being processed and are very good at pinpointing the interaction points.
In order to use this sensitive data, most companies do not see any other way of interacting with this data is to involve people entering (processing) data into machines (information systems). Much like the Terminator movies, humans are the biggest risk when it comes to sensitive data operations.
To assist businesses to understand the difficulties involved with protecting telephone based card payment, the PCI SSC has recently released updated their information supplement.
If you look at a typical telephone based payment's data flow:
First, the consumer entrusts their sensitive data to a Call Agent.
Next, the call agent then manually types this data into a company's network based information system, for processing. (In a Contact Centre, this would typically involve a single location with numerous data entry systems - a virtual 'Gold Mine' for the opportunist criminal. How easy would it be for them to Social Engineer their way into this environment to place keylogger devices, enabling the harvesting of each and every keystroke to be entered into the keyboard (for later collection and exploitation))?
The input may then involve the transfer of responsibility, for payment processing and storage of the cardholder data, through the use of a PCI DSS compliant payment service provider. However, this should never be treated as a fully outsourced operation (i.e. SAQ A), as the receiving information is most definitely brought into scope (as is any other attached systems, which could impact the receiving information system).
Have you considered the protection of any call recordings (containing payment card data)? Using auto/manual Start/Stop technologies? Is it 100% reliable? If not, you could inadvertently be storing payment card data.
Do you allow the receiving PC to deliver multiple uses (e.g. Card Payments, Business Email, Internet, etc.)? How are you mitigating the Phishing or Social Engineering threats?
Are you happy with your countermeasures to reduce the risk of a data breach being caused by a deliberate or accidental act of a Call Agent?
Consequently, to be truly PCI DSS compliant and secure the business would need to ensure that all these in scope systems are subject to the applicable PCI DSS controls (e.g. Network Segmentation, Secure Configuration, Anti-Virus, Patching, Role Based Access Control (Logical & Physical), Monitoring, Wireless checks, Vulnerability Scanning, Penetration Testing & formalised Policies & Procedures). Failure to understand the accurate data flows and supporting Information Security Triads, which may mean that your organisation has inadvertently told an untruth to your Acquiring Bank. This may not be an issue until that opportunist criminal identifies that exploitable, unidentified, opportunity.
If you are an organisation that is involved in telephone based payments, the first thing I would recommend is to familiarise yourself with the PCI SSC's updated information supplement (referenced above). Next, I would recommend that you investigate the potential benefits of adopting the SKYNET, by TERMINATING the need for human interaction with cardholder data.
The best way to maintain the customer experience is to make use of technology changes and to use a 3rd party who can convert payment card data into digital key tones (aka Dual Tone Multi-Frequency (DTMF) e.g. GCI. Such a solution can be introduced so that the customer experience is enhanced, whilst reassuring your customer that you are safeguarding their data.
When deciding the best approach for your organisation, it is important to consider the costs of maintaining a fully PCI DSS compliant compliance (using your business information systems), versus reducing the number of systems brought into scope through the interaction with cardholder data. Further factors that need to be factored is the threat posed by People, the potential brand damage and the potential cost to your business.
Even if you are a business that does not handle payment card data (given that most of the highly sensitive data includes numbers (e.g. National Insurance No. Passport No. Bank Account No. DoB, etc.), you may wish to investigate the potential benefits of using a DTMF solution to replace the need to interact with the number component of such data assets.