Leveraging QSAs to be PCI DSS compliant from day 1 and beyond
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements designed to ensure that organizations that accept, process, store or transmit credit card information, do so in a secured manner.
Organizations that need to store information for recurrent billing, to comply with evidence keeping regulations, or simply for quality assurance purposes, need to thoughtfully select the most appropriate methods to ensure compliance on all fronts. For instance, PCI DSS requires that systems do not store CVV codes - the three-digit verification code found on the back of the card; and that cardholder data be stored in the most secured manner.
Reports on compliance: are you concerned?
The task at hand to ensure that compliance is achieved is not as simple as pie!
Organizations which process more than six million payment transactions per year, or who have experienced a data breach in the past, are required to submit an annual report on compliance prepared by a Qualified Security Assessor (QSA). QSAs are external auditors certified by the PCI Security Standards Council, who perform onsite audits to ensure that the necessary controls are in place to meet the PCI DSS specifications: can the data stored be encrypted? If data is recorded: what are the best practices to ensure that no sensitive data is captured?
The PCI DSS application security review report: a treasure map
The PCI DSS application security review report enables organizations in the procurement and planning phase to determine if a system can be deployed in a manner which complies with the PCI DSS standard. For organizations that already have a call recording solution, the document describes how the system should be configured and deployed in order to pass the periodical PCI DSS validations.
The application security review should be provided including the following specifics:
- How the recording solution adheres to and works with PCI DSS and other regulations;
- The impact of the call recording system on each one of the PCI DSS requirements;
- The considerations that must be taken into account during implementation;
- For assessment purposes, the effect of the recording system on each one of the PCI DSS requirements should be described
Selecting a recording solution that has already passed successfully a PCI DSS application security review conducted by a QSA is beneficial at the procurement and deployment phase and saves time and resources for future periodical validations.
On the advantages of passing an application security review
At multiple customers, Engage, NICE’s recording platform, processes cardholder data and other sensitive authentication data which are part of the cardholder data environment (CDE), and thus in the scope of the PCI DSS regulations. As an advanced compliance solution provider, we wanted to determine the effects of our solution on our customers’ compliance, and contracted an external security assessor – Trustwave. NICE’s Engage was tested in a lab environment reproducing the typical configuration of a call center to determine the most appropriate configuration to adhere to the PCI DSS requirements.
The application security review process helped us understand how to better support our customers concerned, and also offers multiple recommendations for our customers: from how to install and maintain the system, to how to protect data or enhance security parameters. The application security review helped us assess our solutions, as much as it helps Engage’s users in configuring their system to be PCI DSS adherent, thus saving time and resources.
The dynamics of PCI DSS compliance
PCI DSS compliance requires organizations to conduct an initial, as well as regular ongoing compliance validations. Namely, once an organization’s components and processes are in compliance, it is still required to demonstrate adherence to the standards through annual self-assessment, or through an annual report on compliance conducted by the QSA, depending on the merchant level.
The results of these assessments are reported to the payment card brand/s, ensuring authorization of ongoing compliance, and non-compliance can lead to massive fines and have disastrous impact on a company’s reputation, causing a crippling effect on a business’s bottom line.
Compliance is an ongoing task that requires robust solutions that are future proof. In this respect, NICE endeavors to proactively monitor the regulatory changes and work closely with industry experts, QSAs, and organizations concerned by PCI DSS to understand their pain points and design recording solutions that ensure compliance throughout each stage of the compliance validation process. NICE’s real time pause and resume solutions, as well as our end to end encryption solution and hardening kit have been certified by Trustwave to guarantee that our dedicated PCI DSS compliance offering delivers on its promises from day one and beyond.