Utility Week

UTILITY WEEK | 17TH - 23RD JANUARY 2020 | 29 Customers Market view I t is o en assumed by businesses that the Payment Card Industry Data Security Standard (PCI DSS) is something that only the retail sector needs to worry about, but this is far from the truth. All businesses that handle credit card data in any format – in shops and stores, online or even over the phone – need to be conscious of their responsibilities. Utility providers depend heavily on con- tact centres which handle vast volumes of customer data, and this means they should be fully aware of the • ow of personal infor- mation through their telephony, desktop and back end ful- lment systems. PCI DSS com- pliance and safeguarding of customers per- sonal details must be a priority as they move forward. As we head into a new decade, the threat of a data breach is greater than ever. PCI DSS compliance is still the most e€ ective way utility providers can prevent this and is a great foundation towards meeting other data compliance requirements, such as GDPR (General Data Protection Regulation). There are 12 main requirements laid out, relating to how a business processes sensi- tive cardholder data, allowing businesses to form a logical checklist of requirements from which they can work to build good habits and achieve compliance. The - rst part of the process is to accu- rately map out the • ow of credit card data information through the organisation. For contact centres, this will include spoken card details passing through IT networks and tel- ephone platforms (including call recording systems), the contact centre agent desktop environment and back end processing/CRM (customer relationship management) sys- tems. This • ow of card data is called the CDE (card data environment) and each individual item within it needs to be analysed to ensure it is as secure as possible. Build and maintain a secure network General IT security obviously applies to PCI DSS compliance and this includes install- ing and maintaining a - rewall con- gura- tion to protect cardholder data. Businesses must always remove vendor-supplied default passwords, and ensure - rewalls and network switches are fully patched to be running the latest - rmware. PCI DSS has strict rules on which items of credit card data can be stored and how this stored data must be protected. For instance, the three-digit security code on the back of a credit card cannot be stored post-author- isation: all traces must be removed from an organisation's systems. It's vital to pro- tect stored cardholder data and encrypt the transmission of cardholder data across open, public networks so even if the worst happens and systems are hacked into, no data can be'read. Maintain a vulnerability programme Organisations should ensure they have developed and continue to maintain secure systems and applications at all times, ensur- ing any vulnerabilities are patched as soon as possible. Compliance with PCI DSS rules require year-round adherence, patching known so - ware vulnerabilities within one month of an o" cial patch being released by the manu- facturer. Surprisingly, the Verizon Payment Security Report 2019 found that only 36.7 per cent of organisations actively maintained PCI DSS programmes throughout 2018, a drop of around 20 per cent on 2017 - gures. Employees should have access only to the data they need and this should be tightly controlled. Access to sensitive data, such as cardholder information, should be available only on a need-to-know basis. All system components should be secured using iden- tity authentication and physical access to cardholder data needs to be restricted. Regularly monitor and test networks An organisation's networks should be regu- larly tested – including both security systems and processes to ensure they are as secure as possible. These requirements were conceived to give businesses a solid overview of how they can go about protecting themselves and their customers, but the most fundamental place to start is to limit the amount of data that is handled in the - rst place. If a busi- ness doesn't hold or process the data, they aren't liable for its protection. So de-scoping contact centres from the requirements of PCI DSS should be a prime objective. It is also a good idea for everyone within the organisation to understand PCI DSS and what comes with it – it should not be kept to a few senior management and IT faces. Ultimately, if everyone is pulling in the same direction, data security is much easier to maintain. PCI DSS compliance isn't optional; it is a standard and must be maintained. Fail- ure to comply carries with it a number of consequences. Do bear in mind, therefore, that while compliance with the PCI DSS is an obliga- tion, it is far more than just ticking a few boxes to remain in good standing. It is about building trust with customers and guaran- teeing the success and pro- tability of an organisation for the long term. Geo Forsyth, chief information security o cer, PCI Pal Securing card payments Utilities handle vast amounts of customer data, including that of credit cards, so compliance with the Payment Card Industry Data Security Standard is crucial, says Geoff Forsyth. Utilities handle vast amounts of customer data, including that of credit cards, so compliance with the Payment Card Industry Data Keep only the data you need to keep and delete the rest

• Cover