Who’s responsible for what? Data flow dynamic of payment card security

Data flow dynamic of payment card security

Last month, the Electronic Transactions Association (ETA), a global association which represents those in the payments space, announced a partnership with the PCI Security Standards Council (PCI SCC). This partnership brought the two together at TRANSACT 15, ETA’s annual conference, to present the industry with the most recent PCI DSS updates as well as focus the payments community on data breach prevention and payments security.

This kind of collaboration is critical when it comes to combining forces in order to conquer security and compliance. If you follow recent news headlines of the many breaches occurring at major merchants across the globe, it’s a fair assessment that we, as a whole, are failing miserably when it comes to security and compliance. The reason is simple – we are not taking responsibility for our part in PCI compliance.

The newest version of the PCI Data Security Standard (version 3.0), became fully effective on January 1, 2015. One of the major changes that in the updated version, is the clarification that payment card security is now a shared responsibility. An important thing to remember when it comes to PCI security is that the scope of the data flow is very important to the audit. Merchants have be absolving themselves of any responsibility by making broad claims that suggest that since they are using a solution that claims to be PCI compliant, they are “okay”. Meanwhile, the processors are saying it’s the merchant’s responsibility to make sure they have policies that properly govern their employees and are properly using the said solution. As you can see, responsibility has been vague, and it’s apparent that we can no longer operate that way in order to protect payment card information.

The card information flow begins with the consumer. Then the information is passed along to the merchant, then the payment processor, and finally on to the acquiring bank. Each of these parties have responsibilities along the way, and it has to be a cooperative effort by all parties involved, to ensure PCI compliance.

As clarified in January, your contractual obligations with third parties, payment processors, and vendors must now be very specific about which requirements each party is responsible for. Broad statements are no longer acceptable in your PCI audit. The recent breaches are calling for a higher level of security, and in order to accomplish this task we must all work together sharing the responsibility, and understanding the importance of applying security and compliance in every business aspect.

Are you doing your due diligence to ensure your part of PCI security? Contact us today to set up a free consultation or to talk more about your PCI security obligations.

5 Deadly Compliance Mistakes

1. Compliant ≠ Secure

One of the most troubling mindsets within an organization is “I’m compliant, ergo I’m secure.” Where compliance may be a good place to begin your “quest for security”, unless you look at your environment from a risk-based approach, and manage your environment based on the results of your risk analysis, you may be unpleasantly surprised when an outsider exploits a vulnerability found in your infrastructure. Simply checking off the boxes in order to fulfill a specific compliance requirement does not mean that you can sit back until the next audit period with the assumption your environment will remain secure and protected from any outside, malicious attacks. Maintaining security requires an ongoing analysis of business assets, and what you are doing to protect each of those assets. The best way to ensure both security and compliance is to include both in the initial business plan conversation as a two-way approach.

2. Not having a designated Compliance Officer

The role of the Chief Compliance Officer is on the rise as companies are beginning to understand the importance of designating an individual within the organization whose focus is on maintaining compliance with the constantly evolving regulatory landscape. With the sweeping realization that regulatory compliance is being more heavily enforced, many organizations are beginning to realize this may be a full-time job.

3. Thinking of independent audit as expense

The term “audit” has held a negative connotation in the business world for about as long as the word has been around. Words such as “burdensome”, “intrusive”, and “costly” may all be words we associate with an audit. It’s time for organizations to begin thinking of an independent audit not as an expense, but rather an investment. The fines that come along with non-compliance and/or data breaches will be much more costly and burdensome on your organization than being proactive about your compliance and security and planning an independent audit into your budget. Not only will you be able to validate your compliance, but having compliance audits already performed by an independent third-party auditor can also give you a competitive advantage when obtaining new business.

4. Scope mismanagement

Managing scope is critical to a successful compliance program. Understanding scope means understanding both business processes and how technology supports them. Business processes – such as the specific details as to what is asked over the phone in a call center and whether or not the entire phone call is recorded – play a significant role in identifying the technology that supports the business process. Once we’ve identified these applications and systems, it’s time to think about technical scope. Which system components store, process, or transmit the data in question? Which system components provide security services to the first group? Which system components are connected to (even if they don’t have to be) to the first group? With this information, we now know specifically where to apply all controls for a successful compliance program.

5. “Trust is a control”

In a perfect world, we would all undoubtedly trust anyone and everyone that we work with. Unfortunately, it’s important to remember that trust is not a control, and employees are humans, and humans make mistakes – intentionally or unintentionally. It’s okay to trust, but from a risk-based perspective, we must also verify. This is why monitoring, account permissions, access, and system configurations, are all among important controls that should be applied to your organization’s security posture.

Life’s a Breach

Cyberattacks and data breaches are things all business owners have learned to accept as a possibility. Breaches and hacks penetrate the headlines almost daily, and as technology continues to evolve, so do the ever-present threats associated with these types of risks. There are two sides to every breach, however. Prevention and recovery. You’re most likely already taking steps towards protecting your organization from the possibility of a breach, but have you planned what you will do to remain operable and minimize damages in the event that your environment is compromised? Experiencing a breach is disruptive, but fumbling the response is disastrous. Incident response plans are invaluable measures that should be taken by every organization, because let’s face it – controls can fail, implementation can fail, and consequently, incidents are bound to happen.

According to The SANS Institute, an incident is defined as an “assessed occurrence having actual or potentially adverse effects on an information system”.  Incident Handling is “an action plan for dealing with intrusions, cyber-theft, denial of service, fire, floods, and other security-related events.” Your Incident Response Plan should include appropriate policies and procedures that dictate to your organization what the immediate steps are following the detection of an incident. These steps may include containment, notification of appropriate personnel, reporting, eradication, and lessons learned.

There are six common stages of incident response that are important when developing your own Incident Response Plan. Take a look at the break down of the Six Steps of Incident Response, and ask yourself, “Are we ready?”

Six Steps of Incident Response

  1. Preparation: Advanced preparation is important when planning for a potential incident. Policies and procedures should be known and tested by management and all personnel to ensure that the recovery and remediation process will quickly address any and all incidents in a timely manner, resulting in the least amount of damage. Do you have the necessary tools and training to handle incidents before they actually occur?
  2. Detection and Identification: After the incident occurs, it’s important to ask yourself a number of questions. What kind of incident has occurred? Data theft? Insider threat? Network attacks? Once you’ve identified the type of incident that has occurred, it’s important to determine the severity of the incident in order to choose the best course of action according to your predetermined Incident Response Policy and Procedures. Are there any safety concerns for personnel that need to be considered? Has there been loss or exposure of data? Were any laws or contracts violated? What is the size of the impact area?
  3. Containment: In order to limit the impact of an incident, the containment phase of incident response is critical. Have the right people in your organization been notified? The faster the response time, the more likely it will be that you can reduce the damage of the particular incident. This may mean isolating the infected or compromised area to determine the best way to handle recovery. Do you have the right tools and personnel needed to handle the task?
  4. Remediation: At this stage, it’s time to resolve the issue and remove any malicious code, threat, personnel responsible for the incident, etc. Forensic analysis should be completed and logs kept throughout the remediation process. Will backups need to be implemented? What information security weaknesses need to be addressed at this time?
  5. Recovery: At this point, it’s time to get things back up and running and be sure that all company policies and procedures are effectively being implemented. Continuous, ongoing monitoring is important following remediation of an incident to be certain that it has been fully resolved and nothing threatening is lingering in your network. Continuous monitoring will also detect any suspicious behavior going forward.
  6. Lessons Learned: Compiling a detailed report of what happened and what was done as corrective measures is a good step towards ensuring the same incident will not occur again. Why did it happen? What could have prevented it? Does your security posture need to be updated to ensure similar incidents won’t happen in the future? Who does this information need to be shared with in order to make any necessary change to your security posture?

Preparation is just as important as prevention when it comes to securing and protecting your business. Don’t be surprised by an unexpected security incident. Develop and implement an Incident Response Plan, train your employees on what needs to be done to protect your business in the aftermath of an incident, and you will be able to reduce, minimize, and address damage caused by an unfortunate event.

Preparing for the CFPB: Vendor Compliance Management

According to CFPB Bulletin 2012-3, companies must “oversee” their vendors “in a manner that ensures compliance with Federal consumer financial law…The CFPB’s exercise of its supervisory and enforcement authority will closely reflect this orientation and emphasis.” An effective risk management strategy includes the assessment and monitoring of vendor compliance; in accordance with your company’s formally written policies and procedures. Today’s compliance program certainly involves an ongoing struggle in organizing vendor responses while monitoring and tracking reoccurring events and supporting documents.

In the past, managing vendor compliance contractually was adequate. Compliance risk and responsibility was effectively transferred to the service provider, and by doing so, compliance activity was kept at arm’s length. Today, the CFPB expects you to “oversee [your] business relationships with service providers in a manner that ensures compliance with Federal consumer financial law…” In other words, a full chain of custody is now necessary to ensure full compliance. In order for this to happen, an “effective process” must be in place. Simply put, you now have to check and validate they are actually what they say they do.

Who’s Responsible for What?

According to the CFPB, if you have “any person (e.g. service provider) that produces a material service to a covered person (i.e. you) in connection with the offering or provision by such covered person of a consumer financial product or service” then you are responsible for their compliance to all relevant CFPB requirements. This means the service provider is also responsible to the CFPB and no one gets a free pass.

Managing Vendor Compliance

When it comes to vendor management, there are two things you should be thinking about; you are both the auditor and the audited. When managing your own vendors, what are the necessary components of a Vendor Compliance Management Program?

What do you need?

  • List of policies and procedures
    • You will most likely have a policy that requires third parties to conduct compliance training and monitor employees who have consumer contact (UDAAP, FDCPA)
  • List of third parties to include activities performed
    • Do you maintain a list of your service providers that are involved in debt collection? Which of your vendors are consumer facing? Which of your vendors are storing or receiving consumer information?
  • Contracts with third parties
    • Ensure your contracts have clear definition of what your expectations are in regards to compliance with federal consumer financial protection law. Does it include consequences for violations?
  • Evidence of due diligence
    • Your policies and procedures say you require all vendors to perform training, but what evidence are you gathering that show you are proving this?

Your Vendor Compliance Management program is a piece of your overall Compliance Management System, which encourages you to collect information and documents you may need easy access to in order to demonstrate your compliance to the CFPB directly, or to one of your clients. The CFPB clearly dictates what you should be doing to manage your vendors.

Where do you start?

You know what you should be doing to demonstrate that you are monitoring your vendors, but how do you get the ball rolling and get the process going?

The best place to start is by performing a Risk Assessment for all third parties involved in the debt collection process. A Risk Assessment will help dictate the following:

  • Develop/enhance policies and procedures
    • What needs to be developed that is missing? What are you already doing that you need to enhance?
  • Continuous monitoring
    • How will you monitor to ensure your vendors compliance?
  • Remediation
    • What are you going to do to remediate issues if any are found? Will this mean possible termination of a vendor relationship if the risk is not worth it?

How much evidence is enough?

What information should you be gathering from your third parties to prove that you’re doing your due diligence and effectively monitoring them for compliance?

  • Vendor Policies and Procedures
    • Regulatory compliance & CMS Overview
    • Compliance training
    • Consumer complaints
    • Information Security posture
  • Types of Evidence
    • Training logs
    • Call recordings
    • Third party security reports
    • Performance reports
    • Audited financials

KirkpatrickPrice utilizes a unique online portal that is uniquely equipped to help you manage your own vendors. The Online Audit Manager is a tool designed to save you time by simplifying the vendor compliance management process, allowing you to:

  • Customize audit questions based on a number of compliance frameworks (SSAE 16, SOC 2, PCI DSS, FISMA, ISO 27001, HIPAA, CFPB, and more)
  • Track vendor progress and set deadlines
  • Approve, deny, or request further information per item
  • Establish reoccurring events based on the information you wish to receive annually, quarterly, monthly, etc.
  • Upload and attach files in support of the question or reoccurring event such as insurance certificates, licensing information, call recordings, policies and procedures, etc.
  • Utilize your own compliance staff to review the audit findings or let us do the work for you, online or onsite

If you are interested in learning more about this tool, contact us today to sign up for a free demo.

What Role Does Speech Analytics Play in Contact Center Compliance?

Collections contact centers and Accounts Receivables Management (ARM) firms face a constant challenge: maximizing payments while staying compliant and up-to-date with on new rules and regulations.  The ramifications of neglecting to do so can be severe: The latest WebRecon statistics show 3,204 consumers filed Consumer Financial Protection Bureau (CFPB) complaints against debt collectors in January 2015 and roughly 929 consumers filed lawsuits under consumer statutes during that same time period.

To address this challenge, contact centers can take advantage of speech analytics solutions to analyze thousands of hours of recorded calls and help mitigate risk.  The end result is not only improved contact center compliance but also increased recovery rates and better agent performance.

Here’s a closer look at the role speech analytics plays in contact center compliance:

  • Identify compliance risk:

    According to Bureau of Labor Statistics data, the debt collections industry is predicted to experience a 23% rate of growth between now and 2016. The data shows much of the increased demand for debt collection services will come from doctors’ offices, hospitals, and government agencies.

    Due to the resulting high volume of collections calls, staying within state and federal licensing laws will become increasingly critical for contact centers in the years to come.  Manual samples of recorded calls or contacts provides little to no prevention of non-compliant behavior or protection against litigation.  With speech analytics software in place, however, contact centers can reduce or eliminate fines or lawsuits associated with the CFPB and the Fair Debt Collection Practices Act (FDCPA).  Speech analytics also tracks abusive or risky language (from either the agent or the consumer) that can lead to potential violations.

  • Improve agent monitoring:

    Aside from eliminating compliance risk, speech analytics solutions also provide the indirect benefit of helping agents improve their performance. By using speech analytics, collections contact centers and ARM firms can uncover issue root causes and develop strategic recommendations to address compliance risks as quickly as possible.

    Because poor collector performance can represent significant risk to the organization, speech analytics reveals behaviors and activities that lead to successful collections, as well as those factors that may be contributing to negative agent performance.  Southwest Credit, for example, implemented speech analytics software in its quality assurance department to ensure new CFPB regulations were being adhered to a high percentage of the time.  With the software in place, agents and management teams now receive scorecards on a weekly and monthly basis that highlight the actions that can be taken to improve overall quality scores.

  • Increase recovery rates:

    By quickly identifying which agents are in need of training or require more grounding in compliance policies, speech analytics not only improves agent performance, but also increases promise to pay ratios. According to a Fico Labs article, speech analytics software for a leading debt recovery company revealed that agents failed to follow the company’s “ask for payment” process 60% of the time!

    With the Federal Reserve Bank of New York’s Household Debt and Credit Report showing that total household indebtedness across the U.S. is now $11.71 trillion, asking for collections payment is more important than ever.  Add to that complexity that approximately 30 million Americans have at least one debt in collections and it’s easy to see that making strides to increase recovery rates isn’t something that should be taken lightly.

Final Thoughts

Contact center agents working in collections face a unique set of challenges with potentially serious ramifications. Fortunately, speech analytics solutions can help by analyzing thousands of hours of recorded calls, resulting in improved compliance, increased recovery rates, better agent performance, and more.

How has your collections contact center used speech analytics for improved business outcomes?

An earlier version of this blog appeared on CallMiner.

About The Author

Jason Napierski is a Product Marketing Manager for CallMiner and authors much of the company’s thought leadership content, including white papers, case studies, and other articles on technology trends and contact center best practices.