If your business operates a call center, and you’re considering a PCI assessment, you’re likely wondering two things:
- Is the call center in scope for your PCI assessment? (Probably.)
- If so, is there a way to reduce its scope in the assessment? (Definitely.)
If your call center accepts payment/cardholder data (CHD) over the phone, and you either record phone calls or require employees to type CHD into their workstations, then yes, your call center is in scope.
The good news is that it’s possible to reduce the scope of your call center in your PCI assessment. And, in some cases, it’s quite simple.
Four Common PCI Scope Reduction Efforts for Call Centers
1. Use P2PE devices.
If your call center employees input credit card information into their workstations, invest in P2PE (point-to-point encryption) devices.
These devices encrypt CHD at the point-of-entry. The data is then sent in an encrypted format and can only be decrypted by the recipient.
There are two important things to note if you are using this technology to reduce your PCI scope.
First, make sure the devices you use are actually PCI-validated. If you are not using PCI-validated systems, your QSA will not consider this an effective scope-reduction method.
Second, remember that P2PE must be used on all devices processing cardholder data. This is an all-or-nothing proposition. So, make sure you know exactly where in your call center the cardholder data is processed and implement P2PE at all of those points.
2. Use the right call recording technology.
If your call center employees are receiving CHD, logic dictates they’re receiving it over the phone. And, if those calls are recorded without the right technology, cardholder data is recorded, too.
If you want to reduce your call center’s scope, your goal is to make sure CHD is not recorded.
There are call recording technologies that allow call center employees to manually pause the recording at the point where CHD is shared. If you use this type of technology, it’s important you also include procedural controls to ensure employees perform this correctly every time.
There are also technologies that can automatically detect when CHD is being shared in a call, pause the recording, and pick it back up again after the CHD has been shared.
By the way, if you are also recording video of call center agents’ screens in addition to call audio, you should verify whether these videos capture displays of CHD as agents are entering them or any time thereafter. If so, this is considered stored CHD, and you will also need to pause the video recordings to eliminate storage.
3. Outsource call center operations.
Quick clarification: This doesn’t mean outsourcing all call center operations (although you can do this if you choose), but rather outsourcing payment acceptance call center operations.
In practice, this means you could effectively have two call centers:
One that is owned and managed by your company and does not touch any CHD (this could be a helpdesk, etc.), and another, which you outsource, that accepts payment information.
By outsourcing the payment acceptance aspect of your business to a PCI-compliant organization, you effectively remove it from your PCI scope.
4. Choose cloud-hosted when possible.
If CHD is stored, processed, or transmitted on any internally-hosted websites or desktop-based software, those technologies will be in-scope, and your organization will be responsible for implementing controls around them to protect CHD.
However, if these applications are instead hosted on PCI-compliant cloud-based systems, your organization will have fewer responsibilities for maintaining controls around them. Instead, these responsibilities are shifted to the cloud-based provider, and your responsibilities are limited to annual verification of the service provider’s PCI compliance, in addition to maintaining the compliance of any elements of the CDE still under your control.
Scope reduction might require a significant amount of work up-front. But, in the long-run, it will simplify your PCI assessment, as well as your overall cybersecurity posture.
If your organization is considering a PCI assessment, contact us to learn how we can help. Whether you’re looking for an assessor or just guidance to increase your likelihood of a compliant RoC, we’d love to hear from you.