Companies implement unified communications technology to foster easy, open communication among employees, customers and business partners, enabling them to easily connect with one another and share information. And many of those very same companies also need to comply with the Payment Card Industry Data Security Standard (PCI DSS), which is all about locking down credit card data and preventing access to it from any unauthorized user.
In other words, PCI is pretty much the exact opposite of UC. How, then, does a company that has to comply with PCI deal with this reality and still implement an effective Unified Communications strategy?
It’s a thorny issue, to be sure. To get some tips for how to deal with it I talked with Scott Kinka, CTO for Evolve IP, which provides a series of hosted IT services including call centers, VoIP and security.
Assuring PCI Compliance for Voice
Voice is probably the easiest issue to deal with, as call centers been doing just that for some time, although specific guidance on the issue is rather limited. In 2011, the PCI Security Standards Council issued an “information supplement” about how to protect telephone-based payment card data.
“The overwhelming majority of the content was about storage and capturing call recordings, not real-time conversations,” Kinka says. Indeed, the paper goes into detail on the circumstances under which call recordings that contain credit card info can be stored, how they must be encrypted and the like.
But consider the reality that many call center agents are in home-based offices. How do you ensure PCI compliance if these folks are taking credit card numbers over the phone?
Kinka lays out a number of options. Some service providers, including Evolve IP, will enable hardware based encryption from the agent’s VOIP phone back into the provider or corporate network. Keeping in mind the agent is likely typing that credit card number into some sort of application, you’ve also got to enable encryption of the data connection. That requires each agent to have some form of virtual private network (VPN) gateway to form an encrypted tunnel back into the corporate network.
Yet another option is to use a soft client in the agent’s PC that encrypts voice communications along with everything else coming from the PC. “One area that’s completely clear in PCI is, if the end user is listening to you and typing your credit card number on a page, all that has to be encrypted,” Kinka says. “A soft client would fold directly in with that strategy because you’re already securing the end point.”
If none of these options suit you, there’s also the mid-call Interactive Voice Response (IVR) strategy. Probably you’ve encountered this at some point, where an agent patches you over to an automated IVR to collect your credit card data. The IVR encrypts that portion of the conversation. This is used mostly when agents are overseas or in home offices, Kinka notes.
Preventing Inadvertent Passing of Credit Card Data
So you’ve got several options for how to protect data in a call center. But things get more interesting when you consider the rest of the UC universe, particularly instant messaging and email.
For starters, if you’re collecting calls for quality assurance purposes, step one is to turn off any options that enable recordings to be emailed to other users. “You can’t just say, ‘press a button and you can get a recording of this call sent to your inbox.’ Turn that off,” Kinka says.
To prevent employees from sending credit card information via email companies can implement security tools that look for specific information and stop it from being sent. That may include .wav files, for example, or any string of digits that looks like a credit card number, he says.
As for IM, the answer is simple: you need to offer a corporate version for business use, rather than allow employees to use their preferred consumer IM app. Then you can apply appropriate security policies to ensure you keep in compliance.
“You can apply data loss prevention or not allow federation of IM to users outside the business, or only to those the business has authorized,” Kinka says.
Educate Users on Their PCI Responsibilities, Especially in a UC Environment
No matter how well they segment their networks to protect credit card data, companies do have to realize that UC and PCI compliance “do run directly into each other,” Kinka says. “I always come back to the least common denominator: the end user.”
About 80% of data leak problems are the result of humans doing something they shouldn’t have, he says. Given that, education is crucial – and he says an emerging component of PCI-DSS is the idea that businesses will have to prove they’re educating employees on what to do and what not to do.
That makes sense, as some of the biggest breaches we’ve heard of are the result of phishing scams, where an employee is duped into giving up sensitive information – and unwittingly opening the corporate kimono.