PCI DSS Compliance
“The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally”.
PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARD V3.0, 2013
If you are, in any way, involved in processing payments by card then you are subject to the requirements of the PCI DSS – this includes merchants, card issuers, payment processors and service providers alike.
In essence, the PCI DSS provides a set of standards for the protection of cardholder data (CHD). Its 12 requirements are broken down into 6 key areas for consideration:
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test your network
- Maintain an information security policy
The latest update to the PCI DSS requirements was published in November of 2013. For the most part, the document remains unchanged. However, there are a number of clarification points contained in V3.0, along with some emerging requirements that reflect the changing landscape of IT and Communications security.
A document summarising the differences between v2.0 and v3.0 can be found here: www.ipintegration.com/resources
V3.0 reiterates that Sensitive Authentication Data (SAD) must not be stored after authorization; even if there is no corresponding Primary Account Number (PAN) held within the environment.
V3.0 features a new section that provides best-practice guidance on implementing security into business-as-usual activities, to help maintain on-going PCI DSS compliance.
V3.0 also includes an additional guidance section to each of the PCI DSS requirements, providing users with a better understanding of the focus and intent of each individual requirement.
The new or evolved requirements focus on best-practice for systems security and include:
- Maintaining an up-to-date network diagram and inventory of system components
- On-going evaluation of malware threats and the maintenance of active anti-virus solutions
- Guidance on minimum standards for password strength and complexity
- Control of physical access to sensitive system components
- Enhanced policies for user identification and authentication
- Risk assessments to be carried out annually (or after significant environmental changes)
Some of the emerging requirements don’t come into effect until 1st July 2015, giving organisations a little more time to implement changes. These include:
- New coding practices to protect against broken authentication and session management
- Service providers with remote access to customer premises to use unique authentication
- Enhanced protection of devices used to capture card data via direct, physical interaction
- Implementation of a methodology for penetration testing
PCI Compliance for Contact Centres
Confusion around the requirements of PCI DSS, and to whom they apply, has led many contact centres into doing nothing or failing to fully comply. This position is not sustainable, as the leading card providers threaten substantial fines for non-compliance and the ultimate penalty of withdrawing merchant ID’s; removing the ability to take card payments completely.
At IP Integration we understand contact centres and the dynamic nature of their operations; we are experts in contact centre applications, call-recording and self-service. We also understand the requirements of PCI DSS and can help you to evaluate the options available to you and select the most appropriate solution for your business. Once selected, we can deploy your chosen solution with a minimum of disruption to your processes, employees and, most importantly, your customers.
As a leading provider of solutions to the contact centre market, we offer a free PCI DSS compliance discovery session; during which we will review your obligations and assess the options available to bring you in line with the evolving PCI DSS requirements and security assessment procedures.
To find out more, contact IP Integration on 0118 918 4600 or email firstname.lastname@example.org