Confusion over the requirements and future direction of the Payment Card Industry Data Security Standard (PCI DSS) has caused some U.K. organisations to shelve their efforts while they seek clarification.
The latest meeting of the PCI DSS UK User Group, held in London on November 5, revealed a high level of frustration among organisations grappling to meet the complex, and often unclear, requirements of the standard.
Members of the group, who asked not be identified by name, said their efforts were made all the more difficult because the card schemes themselves -- primarily Visa and Mastercard -- applied the rules in different ways. Furthermore, the advice of different Qualified Security Assessors, who are supposed to provide definitive advice and auditing services, is often inconsistent.
One member complained that when version 1.2 of the PCI code was introduced in October 2008, it was like starting "with a blank sheet of paper," with much of the earlier work wasted. And with version 2.0 of the code due for release next October, many members said they were hesitant about committing further effort to the task when the rules might change again.
One attendee said the matter had been debated in Prague the previous week at the meeting of the PCI Council: "People were asking whether they should be putting in end-to-end encryption or going for tokenisation, but the answer was 'watch this space.' The advice was to hold off on any decision for a while, but how can you do that if you need to be compliant?"
The head of PCI DSS compliance for one global company complained: "The costs [of becoming compliant] are spiralling. There always seems to be an opportunity to pay an extra fee to someone for some extra advice."
One high street retailer revealed that its PCI DSS compliance efforts had "ground to a halt last year" because it was unable to get clear guidance. "It's a bit of a mess. We got 60% done, but the last 40% is a bit of a nightmare," an attendee said.
A member from a large consumer goods company made a similar point: "We are far from being compliant. The last 20% to 30% is very complex," he said. "Different QSAs say different things, and give different advice."
Another complained that the different card schemes applied the standard in their own way, and this resulted in much duplication of effort on behalf of the merchants.
And a member from one large organisation revealed, to the astonishment of the group, that its acquiring bank had assured the company that it did not have to be PCI DSS compliant.
PCI DSS compliance in call centres
The main purpose of the meeting, which included members from banking, government, hospitality and retail, was to hear how call centres are affected by PCI DSS.
Since all call centres record their transactions, the recordings present a potential security vulnerability if they include the customer reading out full credit card details over the phone, including the security code.
Graham Thomas, sales director for Semafone Ltd., described a variety of methods that companies could use to avoid problems. The most basic would be to get call centre workers to stop the recording while the customer reads out his or her three-digit security code, but he admitted that was unreliable and that most recording systems were outside the control of the individual agents anyway.
Another option would be not to ask for the three-digit security code, but that would incur greater charges from the card companies.
Much more feasible approaches included:
- Passing the customer to an interactive voice response system when it came to giving their credit card details.
- Generating 'white noise' on the recording at the point when the agent needs to ask the card details.
- Getting the customer to key in their details on the telephone keypad, with the tones disguised on the recording. In this example, the agent just hears a flat tone, and also the customer can avoid reading out their card details in what might be a public place.
Using a cloud-based service: Here the call centre diverts the caller to the service, with a reference number and the amount due, and the customer then keys in their card details. This way, the merchant can remove this part of their business from the scope of PCI DSS.
Click here for more information about the PCI DSS User Group.