PCI-DSS Outsourcing the Risk – Can’t someone else do it »

When was the last time you gave a complete stranger your credit card? How many people know what your credit card number is? You wouldn’t leave your wallet or purse on a table and walk away from it. Why do you provide your credit card details to businesses such as your Internet provider, Electricity provider or Insurance company? The answer is likely to be because you trust them more, this would be based on them being good corporate citizens and that there would some sort of legislation or regulation that would protect this information.

In 2004 Visa, MasterCard and American Express did just this by creating the Payment Card Industry Data Security Standards (PCI-DSS), this requires companies meet a minimum set of standards when storing, processing or transmitting Credit Card details. That minimum set of standards is currently 211 questions, all of which you have to say yes too. That’s right just like all compliance its 100% compliant or failure. Compliance is achieved when a Qualified Security Assessor (QSA) deems you to be compliant.

We have recently seen a number of high profile attacks where personal details were compromised. The best case is the Sony attack in 2011 where 77 million users were affected.

There are penalties for companies who are non-compliant ranging from monetary fines to the loss of the ability to transact Credit Card payments not to mention the reputational impact.

PCI-DSS initiative is driven by through the banks in Australia, so the next time you meet with your client services manager expect them to bring this up.

Below will detail one method that 3CA successfully used recently at a large Australian insurer to become PCI-DSS compliant. This method is about outsourcing the risk.

Firstly 3CA had to identify all channels where a Credit Card entered, exited or traversed through the business. As you could imagine there were Credit Cards in files, emails, faxes, mail, even on pieces of paper written down by the Call Centre agents. All of these processes required remediation. But the first question had to be what to do with the Credit Cards since our goal was to eliminate the storage of Credit Cards in the business whilst also still accepting payments using Credit Cards.

The business was initially sceptical and resistant to the idea that they would not be able to see the full Credit Card number. After proof the processes identified could still remain without the need for the Credit Card number the business began to buy in and the talk of “I can’t do my job without the Credit Card” dissipated.

The tokenisation approach was adopted. This is a process where the Credit Card is passed to a tokenisation provider who stores the Credit Card for you and passes you back a token which is basically a reference to the Credit Card. So this number doesn’t mean anything to anyone in the outside world. The existing tokenisation providers offer a number of ways to transform the Credit Card into tokens, through webservices, bulk file uploads and tokenisation websites hosted by them. Each of these techniques were used as part of the project.

The next problem faced was what to do with Credit Card numbers entering the business. The benefit for the Insurer was they had already outsourced the mail sorting process to a 3rd party who were working towards their own PCI-DSS compliance. This meant that the Insurer could use the technology on offer from the tokenisation providers for them to tokenise the Credit Card on all paper material. The mail house also offered a redaction service which was used to mask the Credit Card PAN. This meant all mail was now remediated.  Faxes were re-directed to the mail house at the phone exchange layer to prevent any faxed Credit Card numbers enter the business. The mail house followed the same process as the mail in terms of tokenisation and redaction.

This left us with 3 areas of concern:

Email – Part of the problem with email is unless the entire email is re-directed to the mail house, there would be need to build some level of email rules. This is a service most email filtering providers such as Websense offer but the capabilities are somewhat limited as these only recognised typed text. Keep this in mind when you look at email re-direction.

Call Recording – There were a number of options on the table, using an IVR, stopping the recording of calls and Pausing calls when the Credit Card number was mentioned. The option taken as it was seen as less impact to the Customer and hence a better Customer experience was to use the pausing of the recordings when the Credit Card number is being mentioned. This option does have its limitations in that it is reliant on the Call Centre agents the ability to control the conversation to know when the Credit Card number will be mentioned was difficult to say the least. Think of a person ringing up with a complaint “I have a charged on my Credit Card 5353…….”.

The final hurdle which was the most difficult is the changes to behaviour. All the technological solutions in the world can’t stop the person from writing the Credit Card number on a piece of paper. This is why PCI-DSS should not be considered a technology project alone. The impacts on the business can be higher and a failure to manage the changes in behaviour will lead you to fail PCI-DSS compliance. Strong controls were required to be documented and implemented in the scenario where a Credit Card number entered the business.

There are of course a number of other ways to achieve PCI-DSS compliance.  This is just one way that was considered successful by both the business and the QSA.

© Copyright 2020 3CA PTY LTD

Sign Up to our email newsletter!

I agree...
Sign Up Now