‘Protecting telephone-based payment-card data in a working-from-home environment’
A pandemic the scale of Covid-19 and its ramifications for organisations is unprecedented. It came about without warning and forced organisations to shut their doors with little notice.
Organisations suddenly had to focus on how to transition office-based workers to home-workers whilst keeping them safe and their operations running. Unfortunately, what many overlooked – or perhaps suspected but hoped for the best - was the increased risk this move from office to home had opened them, and in turn their employees, up to.
When we closed the doors, did we open a window?
For most organisations, being able to continue to take payments on the phone while their employees work from home has been critical to keep their organisation running and keep revenue coming in.
However, by transitioning to a work from home operational model, often facilitated by VoIP and CCaaS applications, organisations have increased the footprint of their card holder data environment (CDE) and effectively included employees’ homes within that footprint.
This transition has not just extended PCI scope, it has also put home-workers who have access to payment-card data firmly in the sights of cyber-criminals.
Cyber-criminals wagered on the fact that organisations would not have transitioned across their office-level security protocols and looked to utilise this ‘open window’ to their advantage. With most tasks now being carried out in a cloud-based environment, the months between January and April 2020 saw cloud-based cyber-attacks rise 630% and data breaches exposed 36 billion records in the first half of 2020 alone, with many of these attacks targeting SMEs - a recent Verizon report showed that 43% of breach victims were small and medium organisations
So, how can you protect your home workers and your PCI compliance?
The PCI SSC provides some clear advice on how the best ways to mitigate risks for your people, processes and technology. This includes regular security-awareness training for staff as well as ensuring that employees are only using company-provided hardware and that all are supported by the latest anti-virus and firewall software. Regular mandatory password changes are also recommended as is having a multi-factor authentication process when connecting to the telephone environment or to any systems that process account data. However, more is required.
To make employees most secure, employers need to remove the possibility that they could ever be compromised.
A ‘no CDE’ approach is an approach to PCI DSS compliance that simply eliminates payment-card data (spoken or otherwise) from an organisation’s infrastructure. This includes cloud-hosted DTMF suppressing solutions.
These solutions stop the need for the call agent to hear or key in any sensitive card data. The customers input it themselves and all the call agent will hear is a masked ‘beep’ or be able to see on their screen that payment details have been entered. They will never need to see or hear card details.
But it’s not all doom and gloom – it brings opportunities too
However, it is not all doom, gloom and potential breaches. Utilising your call agents to a greater degree can also bring with it beneficial business opportunities. Agents, often working in a more relaxed environment, can build a rapport with the customers that can lead to cross-sell or upsell opportunities. Using call agents also builds a human element back into the sale which was removed during the lockdowns. Allowing you to rebuild your relationships with customers and prospects as the world finds its footing again.
For further information
For a more in depth look at the impacts of home working and the further potential risks organisations face, our whitepaper ‘Protecting telephone-based payment-card data in a working-from-home environment’ written by Pay360’s compliance expert John Greenwood, Director of Compliance3 Limited can be downloaded for free here.