Cloud innovation boosts card data security

Cloud innovation is enabling businesses to access a secure, cost-effective means of protecting sensitive card payment data

Cloud innovation is enabling a wide range of businesses to access a secure, cost-effective means of protecting sensitive card payment data.

Banks, utility companies and contact centres in particular are facing the increasing challenge of enabling card payments over the phone, while at the same time ensuring customer data is secure.

Specifically, businesses involved in card transactions need to meet the requirements of the payment card industry data security standard (PCI DSS) as well as increasingly onerous data protection regulations.

This has typically required costly dedicated on-premise systems that are either unable to cope with peak demands or are largely under-utilised during quiet periods.

Software development firm Cognia sought to solve these problems through innovation around its existing cloud-based call recording and analysis service that was initially developed for the financial sector.

In terms of European Union and US regulations, all voice calls relating to trade dealing and other financial transactions have to be recorded and monitored for potential insider trading.

The company combined a range of tools and services provided by Amazon Web Services (AWS) with its own network management and monitoring technology to support phone payments.

This new functionality was added to the existing capability to provide real-time monitoring and content analysis of calls and generate alerts for specific words and phrases.

This functionality enables call centre operators to monitor and score agents on whether they have conducted the call according to specific guidelines.

Cognia worked with a qualified security assessor (QSA) to ensure that the resultant service achieved PCI DSS Level-1 compliance.

The QSA identified specific security issues that had to be addressed in the virtual environment to demonstrate end-to-end security control.

“This demanded things like bespoke recoursing and additional auditing that had to be put in place to satisfy the QSA that the process is compliant,” said Nick Hills, vice-president of technology at Cognia.

The bulk of the requirements, however, were met by building the service on the PCI DSS-compliant infrastructure.

This means that any organisation using the service no longer has to worry about around 90% of the PCI DSS security controls that they would otherwise require if using on-premise systems.

This includes section 9, one of the most onerous of the 12 sections of PCI DSS, that covers hardware security and physical access controls at datacentres.

“When taking credit card information over the phone, there is a huge number of procedural and technical controls you have to adhere to,” said Hills.

“By enabling customers to use their phone keypads to enter their card details, that data is never presented to the call centre or the agent,” he said.

In turn, AWS absorbs most of the responsibility for the physical processing environment, leaving Cognia free to concentrate on building their application and ensuring its integration with AWS is PCI compliant.

All that remains of the PCI DSS controls for call centres to worry about are procedural, such as what due diligence they have done to ensure that Cognia’s service is PCI DSS compliant.

Instead, the data is passed directly to the payment processing company, thereby removing most of the burden of PCI DSS controls from call centres.

It also means that organisations can scale their capacity up and down according to requirements, paying only for the capacity they need and use, cutting the cost of on-premise systems by as much as 80%.

The economies of scale associated with cloud computing means small businesses can also afford to access secure voice services for recording, analysis and payment processing.

Read more on Cloud security