PCI compliance for customer data, are you doing it right?Mike Evanisko
PCI DSS compliance has been a part of your business practices since 2004 (or whenever you opened your doors after then). That is unless your business doesn’t take customer credit cards. Any time your customer shares a primary access number (PAN) from a bank or credit card, you’re on the hook to follow a list of compliance laws. It’s your company’s responsibility to see that a PAN’s journey ends with you. Thing is, PANs like to reproduce themselves. How? Well, the customer spoke the PAN over the phone and then it becomes much like the cartoon where someone tries to shake a bird off a stick and suddenly there are two birds, three birds, and so on. Here’s a breakdown of places that a PAN clones itself to.
- It’s in your billing system, which is usually well protected
- It’s in your call recordings, those vital audio files you collect for quality assurance
- It’s in your call transcript if you’re collecting those
- It’s anywhere you back these and other locations up to
This multiplying bird is a challenge to manage, and if not locked down, might sing like a canary to a data thief.
Do I have to have a PCI compliance plan?
Yes. Yes, you do. You totally have to do this. When data thieves infiltrate your company and uncover your customer data, here’s what you have to look forward to:
Churn, Baby, Churn:
Customer churn rates have gone up over the past seven years, and the Ponemon Institute points to data breaches as the main cause. Data security is not an unfamiliar topic to the average citizen anymore. Between neverending robocalls and the inbox full of spam, many people are well aware that their data has landed in places they never would’ve sent it.
When your company suffers a data breach, you become a lawsuit target. The government can (and probably will) sue you. Your customers can sue you. They can sue you individually, or they can go the class action route. To top it off, even the credit card companies can sue you. There are so many good reasons to get PCI right.
You’ll Get Fined:
Failure of PCI practices exposed through a data breach could result in $5,000-$10,000 fines each month from the credit card companies themselves. And those credit card companies don’t want to pick up fraudulent charges made because of that data breach either, so look for those reverse charges coming your way.
Who doesn’t love an audit?
Depending on the size of your organization, the FTC might be monitoring you. That means the FTC can and likely will audit you in the event of a data breach. If your company is smaller, you’ll still have to deal with the credit card companies and the PCI Security Standards Council.
Damage Control is HARD:
In this day and time, the customer’s voice is loud. It is clearly heard and read by other customers around the world via social media, grading apps like yelp, bloggers, podcasts, and obviously every news site on the planet. The amount of money you spend mopping up after a data breach on a PR firm could easily equal some of the other horrors listed above.
OK, that’s enough frightening information for one post. By now you understand, you cannot shrug off protecting this data.
So how do I protect customer data?
Data breaches have shaken consumer confidence. Taking security seriously is the best way to establish and maintain your customer’s good feelings about you. PANs, Social Security numbers, birthdays, and lots of other personal knowledge makes a home in your company data storage. How do you protect your network? Use the best firewalls? Penetration testing? I had a childhood friend, we’ll call her Cleo (but she KNOWS who she is), who used to make sure nobody would eat her potato chips by promptly sneezing into her freshly opened bag. Gross, but Cleo was on to something. Of course, we want to keep anyone from ever getting inside our vault and stealing these valuable nuggets of data, but sometimes thieves succeed. Is there something we can do to sneeze on our chips, so-to-speak?
Data masking—the art of redaction
Redaction, the act of blacking out details that expose sensitive data malicious parties have come calling for.
If all the PANs, PINs, telephone, Social Security, and account numbers are surgically removed from your records, all a thief will ever gain after breaking in is a conversation depleted of its valuables. They’re after personal data they can exploit, sell, or both. When they manage to get away with those details, they harm your customer, and your company suffers on multiple fronts. You’ve torched your customer’s trust, your government is investigating you, your legal fees are gaining mass at a geometric rate. All because you didn’t think like Cleo. You should’ve removed the financial details from your calls, transcripts, backups, and so on.
However, redacting all those details is an immense task. It’s a job the data thief is willing to do to find exploitable data, which means you’re justified for paying an employee to sit and delete stuff all day. Unfortunately, that’s as much a security risk as not redacting the data in the first place. Why? Well, humans mostly. Data is on screen and eyes are everywhere. Customer conversations are best kept locked behind a door until they’re scrubbed clean, and that’s a job best done automatically. And whatever we’re going to use to help us redact, it should hit all the locations our vulnerable data rests in.
PCI DSS and speech analytics
PCI compliance is one of those challenges where using artificial intelligence really pays off. Speech analytics continue to revolutionize the compliance industry. Call recordings used to be more of a necessary evil for legal accountability. Analytics have turned call recordings into a land of opportunity and they’ve also made leveraging the data inside them a much simpler task.
Back when PCI compliance laws were first enacted, digital documents represented the big PCI vulnerability. Optical character recognition caught and eliminated PANs and other vulnerabilities. But data thieves are clever, and every time an industry bolsters its security, thieves go back to the drawing board. We need a method of removing PCI data from digital documents but also from call recordings and transcripts. If it’s done right, here’s a glimpse of what your PCI data should look like.
Every time a speech analytics engine recognizes an alphanumeric string, it can command another piece of software to permanently lock that data up and throw away the key. CallCabinet’s Atmos software, incidentally, folds all those functions into a single solution. The bright side is that none of the data removed for PCI compliance reduces the worth of the call recording itself. Your speech analytics can still track the emotion of the call, recognize trends in keywords and phrases, monitor call length, call silence, and more. You lose no value, while the thief gains none. The importance of operational security is paramount when it comes to customer confidence. The customer doesn’t think they should have to worry about the security of the numbers they give you. Show them they’re right.