Is homeworking jeopardizing your PCI compliance?

Avatar

Written by Wayne Campbell

Published July 2021

In this article...

With the pandemic shifting a huge portion of the UK workforce to home-workers, 60% of UK adults at the height of the pandemic, and with research showing at least 26% of workers plan to continue working from home, organisations are having to look at long term solutions to maintain their PCI compliance whilst also providing a safe working environment for their employees.  

Our Pay360 whitepaper “Protecting telephone-based payment-card data in a working-from-home environment” available for free here, explores into more detail the PCI implications of this new home-based workforce, but there are solutions that organisations can implement that give them the ability to protect their employees, continue to securely accept telephone-based card payments and comply with their PCI DSS responsibilities.

The easiest way to protect your staff is to remove what can compromise them

For many organisations, the ability for their homeworkers to continue to accept card payments over the phone is essential. But without putting certain measures in place, organisations can find themselves in contravention of their PCI obligations, bringing their employee’s working environment into scope and opening themselves up to potential breaches. The increase in cyber-attacks, with 36 billion records exposed by Q3 of 2020, only adds weight to the need for these measures.  

Whilst security procedures such as company-provided hardware with up-to-date firewalls and dual authentication measures do go some way to protect sensitive data and adhere to their PCI responsibilities, the best way to ensure that their employees can’t be compromised is to remove from their environment the information cyber criminals are after – payment card data.

Securing telephone-based payment solutions

One solution is DTMF supressing or masking software. DTMF stands for “dual-tone multi-frequency” and are the signals or ‘beeps’ generated when a user presses individual buttons on their telephone keypad. Whilst these tones are dual frequency (one high, one low), a measure put in place to try and prevent voice imitation, with the right hacking software these signals can be decoded.

With DTMF supressing solutions, the applicability of PCI DSS to that environment can be reduced as the agent never sees or hears card data. Customers input their card information using their telephone keypad when prompted and the information is automatically transmitted to the Payment Service Provider (PSP) for authorisation. No cardholder data is exposed to the agent or enters the organisation’s environment, meaning the scope of PCI DSS is vastly reduced.

When details are entered, the supressing software removes the DTMF tones or, as with DTMF masking, the tones are replaced by either a random tone or a flat tone. This ensures that even if calls are recorded and hacked, the signals can never be decoded and removes the threat of malicious attacks by criminals or rogue agents.

The agent can stay on the line with the customer, providing support if required, and monitor the customer’s progress using a desktop application, where they will only see asterisks as the payment details are entered. This facilitates a compliant and secure environment to process card payments, but still delivers a supportive and seamless customer experience.

Benefits for organisations and employees alike

Without appropriate segmentation, the merging of voice and data systems can have the effect of bringing the organisation’s wider infrastructure into PCI DSS scope – and that can include your employee’s working environment. However, a properly designed and deployed DTMF supressing or masking solution can take not only the telephony environment, but also the agent environment and CRM system out of PCI scope, as shown in the PCI SSC’s diagram below. The responsibilities sit with your Payment Service Provider and DTMF suppressing solution provider.

PCI SSC Phone Image

Source – PCI Security Standard Council - Off-premises deployment of DTMF masking

These solutions not only bring more peace of mind to the organisation; it also provides added benefits to their employees. Your employees know that, should data somehow be breached from elsewhere within the organisation, fingers will never be pointed in their direction, making for a much more relaxed and enjoyable working from home environment.

Liability and fines

The risk of non-compliance, or not fully understanding the scope of your organisation's card data environment, is now apparent and the first fines applied under the GDPR / Data Protection Act 2018 are now being realised. In addition to the British Airways £20m fine, in a data breach affecting more than 400,000 customers, Ticketmaster has fallen foul of not fully understanding the impact of connected service providers by ensuring partner compliance in an environment that was not integrated securely or included in the PCI DSS connected environment scope. Here we have found that the devil is in the detail, costing the organisation not only £1.25m, but investigators also found that, as a results of the breach, 60,000 payment cards belonging to customers of a major high street bank, had been subjected to known fraud.

"The reputational damage cannot be estimated in value."

 

Wayne Campbell I Pay360 Qualified PCI DSS Internal Security Assessor (ISA) I PCIP Payment Card Industry Professional

Wayne.campbell@capita.com