Howard Fuhs
Howard Fuhs
Howard Fuhs

PCI DSS, Policies and Security Awareness in Call Centres

Considerations for Certification of Call Centres according to the Data Security Standard of the Payment Card Industry

Copyright (C) 04/2008 by Howard Fuhs


As companies increasingly handle their customer communication and business processes through Call Centres, it is not astonishing that this economic sector can announce significant expansions year after year. Regardless whether it is for marketing purposes, customer relationship management (CRM), or taking orders, the communication between customers and company is routed through a call centre.

In some cases call centres are coming in contact with sensitive data which must be protected. In this article I would like to take a look at the problem of handling sensitive credit card data / cardholder data in a call centre environment. According to the Data Security Standard of the Payment Card Industry credit card data is especially worthy of being protected. And the standard applies to all companies, areas, systems and persons, that process, store or transmit credit card data and applies not only to digital systems but also to printouts, receipts, etc. as well as physical data storage entities where credit card data are stored.


The PCI Security Standards Council (PCI SSC) is an open supranational organisation, which is responsible for the continuous development, improvement, dissemination and implementation of security standards aiming at the protection of credit card data. The PCI SSC was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International and, with this backing, it represents almost the whole credit card industry.

The involved duties and objectives are the definition and development of the PCI Data Security Standard as a common basis of the security programs from VISA and MasterCard as well as the prevention of theft and misuse of credit card data. It also leads to a significant increase of the general security standard in credit card industry and a reduction of liability risks.

The Payment Card Industry Data Security Standard (PCI DSS) consists of 6 control objectives which are containing 12 requirements with approx. 160 guidelines.

Objective No. Requirement
Build and Maintain a Secure Network Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program Use and regularly update anti-virus software
Develop and maintain secure systems and applications
Implement Strong Access Control Measures Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10  Track and monitor all access to network resources and cardholder data
11  Regularly test security systems and processes
Maintain an Information Security Policy 12  Maintain a policy that addresses information security

The certification requirements for merchants and service providers depends on the amount of processed transactions and on the amount of accepted credit cards in different levels. There are 4 levels for merchants and 3 levels for service providers.

Practical considerations

As the PCI DSS may provide clear code of practice on the technical side there must be special considerations on the human side. If all technical measures are put into place it needs only the regular control that all implemented security functions are working properly to fulfil the standard. If the technical side is solved it is not going to make any more work than a few hour of control activities per month to stay compliant.

The human factor in a call centre is providing more problems when it comes to security considerations. Usually a lot of people are working in a call centre. And if the call centre provides a 24/7 availability people are working in 3 or 4 shifts per day. Furthermore the change rate of employees is higher than in the average workplace as the working stress is high and the wages are low. So one may say very well that the weakest link in the call centre security compliance chain is man itself.

To cope with that problem two solutions need to be establishes. Policies which are easy to teach and understand, and proper and repeated security awareness programs as a training for the job before the new employees get in touch with their first customer.

Security Awareness Program

Every call centre agent has to attend a security awareness program as a mandatory education tool. This can be a lecture or an online education. At the end of the awareness program a little exam must be passed. In all cases it must be documented that the user has attended successfully the security awareness program. The security awareness training must be repeated on a regular base. The interval between two security awareness programs should not be longer than 1 year and it should begin upon hire.


Policies are a two-edged sword for maintaining information security in an organisation. If they are written well they can be used to educate employees about the company stance towards information security. On the other side policies are providing legal freedom as every employee was informed about his daily duties in information security with all its legal implications. This process requires employees to acknowledge in writing that they have read and understood the company’s information security policy.

Policies must be written in a way that a non-technical person is able to understand the policy and their intention. This means the policies must be written in plain language and must be short. It is a fact that huge policy books will not be read, not even noticed by users as they are daunted by the wording and the size. It is no problem to boil policies down to a user friendly wording and size, products which are providing instant policies to solve that problem are already available on the market. Furthermore the policies should be divided in three categories, for users, for technical administrators and for management. It is obvious that policies for technical administrators are quite uninteresting for the average mortal user, same goes for management-specific policies.

With a mandatory security awareness program and security policies written for specific target audiences it should be possible to cope with the obstacles caused by human behaviour on the way to PCI DSS compliance.

Copyright (C) 04/2008 by Howard Fuhs


Fuhs Security Consultants
All Rights reserved!
Frank Ziemann
Home Impressum

24 Hour Clocks Publications DE Deutsch
Thema 00
Hier finden Sie Information über Dinge, von denen wir jetzt noch nichts verraten wollen.
Thema 01
Hier finden Sie Information über Dinge, von denen wir jetzt noch nichts verraten wollen.
Premium Content
Restricted area. Paying customers only.
Company News and Press Informations.
Protect your Assets with our Security Services.
24-hour clocks according to ISO 8601 developed for usage in business, technical and military 24/7 environments.
Informations about the worldwide Lecures and Seminars of Howard Fuhs.
Articles and Manuscripts of Howard Fuhs covering the topic of IT-Security.
Digital Publishing
Publications of Howard Fuhs on CD-ROM.
DEDeutsche Seiten
Hier finden Sie unsere deutschsprachigen Seiten.
Follow this link to our German pages.
Contact us
via E-Mail
Frank Ziemann
Hot Sites
Trade Terms  and Conditions
Hot Sites
Hot Sites (11/1998)
Trade Terms and ...
Trade Terms and Conditions - and Internet Access (05/1998)
Thema C
--not used--
Thema D
--not used--
Thema E
--not used--
Thema F
--not used--