About Compliance (in general) and PCI compliance (in specific)
Compliance issues go well beyond the contact center activity and provide a classic example of the importance of distinct roles in organizations:
For the business, compliance is simply a set of rules to be followed, and, if the rules are followed, the business considers itself to be compliant — for example, with Payment Card Industry (PCI) standards.
However, from a security and risk management perspective, the issue is far larger. The business recognizes that a failure in PCI compliance may result in a downgrading of the enterprise’s PCI status, which could cost millions of dollars in card processing fees. The security professional recognizes that the enterprise can be PCI-compliant and still suffer a data breach, because it does not take a broad-scope approach to protecting regulated or, otherwise, sensitive data — of which, PCI is just one component.
The security professional recognizes that the same processes used for PCI compliance can be used in overall data protection and governance, protecting the enterprise against financial loss, reputational damage and regulatory scrutiny — and potentially saving significant amounts of money. For all these reasons, security professionals must be prepared to ask business leaders business-oriented questions, and to receive and correctly interpret responses and questions from business leaders that may be couched in business-oriented language.
What to do about the problem:
Compliance and PCI in specific is a broad subject that spans through the entire organization, not just the contact center.
Once IT is able to get business leaders’ attention and demonstrate support of their goals, it will be easier to engage them in a dialogue in which it can work toward gaining consensus as to what the actual risks are. Create mechanisms such as data classification schemes that help nonspecialists conceptualize and rank their needs for confidentiality, integrity and availability protection.
PCI Compliance on OneContact 2.5
The final client and his processes are the entities than can be certified as PCI compliant. The OneContact Product Suite cannot be certified as PCI compliant as is. It is important to understand that while OneContact can offer features to assist with PCI Compliance, it cannot be labeled as compliant.
- Recording Encryption
The recordings are stored in an EFS (Encrypting File System) folder or drive. EFS is provided by the operating system in order to encrypt a directory or drive in which the recordings are stored.
- Auditing for Recordings Access
Access control is made by the Operating System and only Supervisors with the right profile in OneSupervisor are able to access the recordings. The audit trail for recordings access is based on the user who accessed them via OneSupervisor.
- Recording Start/Stop
To prevent credit card information from being stored in the recordings, the agent has the ability to stop the recording when the credit card details are being discussed and then start up again after the credit card transaction has completed.
- Transmission Encryption
OneContact supports SIPS/SRTP for voice and HTTPS for all communications between components.
- As you secure your enterprise systems, remember that insiders with privileged and knowledgeable access can cause significantly more damage than an outside hacker acting alone.
- Budget priorities should focus on eliminating cardholder data storage where possible, and properly segmenting the section of the network that handles card data.
- Security audits should be conducted continuously or as frequently as possible, and not be limited to what’s required by PCI. Don’t rely on PCI assessments for stamps of “security approval.”
- Don’t use the same firms for PCI assessments and PCI deficiency remediation services. If that can’t be avoided, however, then require the assessor to fully disclose any business relationships it has with technology and service providers.
Note: some excerpts of this blog were compiled from Gartner’s documents