Call centers have very high turnover, often more than 30-40 percent per year. Not only do these people represent your brand, but they also have access to lots of confidential data, well beyond card data, which creates significant potential for fraud and theft.
These employees are closely monitored, for "call quality" and other reasons. Some studies have suggested this creates a negative attitude, prompting numerous unionization efforts and increasing the potential for data theft and fraud. These are the classic "disgruntled employees" you've heard so much about. If you got yelled at all day because of product failures or promises made by sales, you'd be disgruntled, too.
In addition to monitoring--audio, video and even key logging--call center employees, call centers are sometimes classified as "sensitive areas" (per PCI 9.1.1), which has caused some companies to build walls and erect partitions to physically isolate the call center or those specific agents who have privileged access to card data or other confidential data. On the bright side, this can cut down on "shoulder surfing" and other social engineering efforts by some disgruntled employees to take advantage of their more "gruntled" (satisfied) colleagues. The downside is that this tends to exacerbate tensions in the group and increase the risk of data theft and fraud.
One of the keys to reducing the risk of this situation is to eliminate data access by call center employees beyond initially typing the record. Masking 12 out of 16 digits after initial data entry and verification is common among newer call center software. But call quality monitoring software and services will often have access to the full 16 digit number. This has been viewed by some QSAs as bringing the entire call quality process and all service providers into scope. The PCI SSC, however, has stated (in their FAQ) that if the call recordings cannot be queried, then they are (in most cases) out of scope of the PCI assessment process. In general, older contact center applications and payment processing modules must be upgraded to PA-DSS compliant versions (if applicable) or come from service providers who have been certified as PCI compliant.
There is a growing demand by merchants for outsourcing of confidential data collection, processing and storage. Given that many call centers are also outsourced, this creates the potential for confusing sub-contracting partnerships that are extremely difficult to monitor on an ongoing basis. It is very important for any firm that outsources all or part of its contact centers to not only review the contracts for PCI compliance (and subcontracting limitations), but to also put into the contracts and into practice a quarterly review process by the PCI team, or IT security, or internal audit. This is critical when dealing with data that is collected from each service provider, especially when that data focuses on gathering factual information about how each service provider is managing to isolate each customer's unique cardholder environment, as stipulated in Appendix A to the PCI standards. When it comes to outsourcing confidential data, it's important to remember that if continuously complying with PCI standards is tough for you as a merchant, just imagine how difficult it is for a service provider which must create and protect "cardholder environments" for thousands of merchants. Ensuring that service providers do this is part of each merchant's obligation of due diligence.
The PCI Knowledge Base is about to launch an investigation of the connection between PCI controls and fraud levels, working with the Merchant Risk Council. We will be talking to many E-Commerce and other merchants about these controls and would welcome the opportunity to speak (100 percent anonymously) with any readers who are interested in this topic. Please send E-mail to [email protected]