Organisations struggle to understand PCI DSS, call centre compliance

By Ron Condon, U.K. Bureau Chief 06 Nov 2009 | SearchSecurity.co.UK

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

Confusion over the requirements and future direction of the Payment Card Industry Data Security Standard (PCI DSS) has caused some U.K. organisations to shelve their efforts while they seek clarification.

The latest meeting of the U.K. PCI DSS User Group, held in London on November 5, revealed a high level of frustration among organisations grappling to meet the complex, and often unclear, requirements of the standard.

PCI DSS compliance: Ensuring data integrity David Mortman reviews how to locate and secure your most sensitive data.

Members of the group, who asked not be identified by name, said their efforts were made all the more difficult because the card schemes themselves -- primarily Visa and Mastercard -- applied the rules in different ways. Furthermore, the advice of different Qualified Security Assessors, who are supposed to provide definitive advice and auditing services, is often inconsistent.

One member complained that when version 1.2 of the PCI code was introduced in October 2008, it was like starting "with a blank sheet of paper," with much of the earlier work wasted. And with version 2.0 of the code due for release next October, many members said they were hesitant about committing further effort to the task when the rules might change again.

One attendee said the matter had been debated in Prague the previous week at the meeting of the PCI Council: "People were asking whether they should be putting in end-to-end encryption or going for tokenisation, but the answer was 'watch this space.' The advice was to hold off on any decision for a while, but how can you do that if you need to be compliant?"

The head of PCI DSS compliance for one global company complained: "The costs [of becoming compliant] are spiralling. There always seems to be an opportunity to pay an extra fee to someone for some extra advice."

One high street retailer revealed that its PCI DSS compliance efforts had "ground to a halt last year" because it was unable to get clear guidance. "It's a bit of a mess. We got 60% done, but the last 40% is a bit of a nightmare," an attendee said.

A member from a large consumer goods company made a similar point: "We are far from being compliant. The last 20% to 30% is very complex," he said. "Different QSAs say different things, and give different advice."

Another complained that the different card schemes applied the standard in their own way, and this resulted in much duplication of effort on behalf of the merchants.

And a member from one large organisation revealed, to the astonishment of the group, that its acquiring bank had assured the company that it did not have to be PCI DSS compliant.

PCI DSS compliance in call centres

The main purpose of the meeting, which included members from banking, government, hospitality and retail, was to hear how call centres are affected by PCI DSS.

How to protect credit card data over the phone – and pass PCI DSS A call centre worker asks our compliance expert Mathieu Gorge how to protect credit card data over the phone when you're trying to meet PCI DSS compliance standards.

Since all call centres record their transactions, the recordings present a potential security vulnerability if they include the customer reading out full credit card details over the phone, including the security code.

Graham Thomas, sales director for Semafone Ltd., described a variety of methods that companies could use to avoid problems. The most basic would be to get call centre workers to stop the recording while the customer reads out his or her three-digit security code, but he admitted that was unreliable and that most recording systems were outside the control of the individual agents anyway.

Another option would be not to ask for the three-digit security code, but that would incur greater charges from the card companies.

Much more feasible approaches included:

Using a cloud-based service: Here the call centre diverts the caller to the service, with a reference number and the amount due, and the customer then keys in their card details. This way, the merchant can remove this part of their business from the scope of PCI DSS.

Click here for more information about the PCI DSS User Group.

Tags: Compliance Regulation and Standard Requirements,  Data Breach Incident Management and Recovery,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance Regulation and Standard Requirements PCI DSS requirements still baffling as compliance deadline approaches Make PCI DSS compliance easier by reducing scope, outsourcing data Cloud computing compliance: Exploring data security in the cloud Encryption basics: How asymmetric and symmetric encryption works SIEM systems streamline compliance processes, offer security benefits No major PCI DSS revision expected in 2010 PCI QSAs, certifications to get new scrutiny Tips to achieve PCI compliance PCI DSS requirements: Get ready for stricter enforcement, fines Data Protection Act breach could cost companies 500,000 pounds Data Breach Incident Management and Recovery Make PCI DSS compliance easier by reducing scope, outsourcing data Full disk encryption: Safer and easier than file and folder encryption PCI DSS requirements: Get ready for stricter enforcement, fines Data breach costs continue to rise in 2009, Ponemon study finds Data Protection Act breach could cost companies 500,000 pounds Jericho Forum to provide customers with good security questions to ask Verizon report goes deep inside data breach investigations Insider threat detection still a challenge for employers Layoffs prompt insider threat fears, cybersecurity survey finds ArcSight boosts system log management capabilities

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Basel II  (SearchSecurityUK.com) Code of Connection (CoCo)  (SearchSecurityUK.com) EU Data Protection Directive  (SearchSecurityUK.com) Financial Services Authority  (SearchSecurityUK.com) IFRS (International Financial Reporting Standards)  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary