Like any business executive, Dominic Leide, President of BPO provider The Office Gurus, wants his company to deliver services at a consistently high level of performance. For a BPO dealing with payment processing there is one clear avenue to prove that a company’s operational fundamentals are well in place and that a merchant delivers a secure service: the PCI Level 1 certificate. The company recently received its certification for its office in Belize though it has had PCI Level 1 certification at its El Salvador office for two years.
The Payment Card Industry Data Security Standard certificate, administered by the Payment Card Industry Security Standards Council, is a premier certificate that demonstrates a company can meet strict guidelines around data handling and security.
Its 200 requirements split between 12 sections of controls and multiple subsections cover issues ranging from the cardholder data environment (CDE) to how controls are handled in an Agile versus Waterfall project development model, while more practical issues regarding merchant agent access to data are also considered. Its four compliance levels accommodate different sizes of organizations – Level 4, intended for clients that process fewer than 20,000 credit card transactions annually to Level 1, for companies that process over 6 million card transactions per year – and though The Office Gurus (TOG) are not yet reaching the number of transactions required for top level, the recognition the certificate offers should help heighten the ceiling for the size of clients TOG can take on.
“The technology investment required, as well as the cost of the auditor, equates to hundreds of thousands of dollars,” explained Leide.
The Starting Point
Jason Kafer, a Data Security PCI DSS expert and independent consultant, says the PCI Level 1 journey always begins with the self-assessment, the SAQ D. “The self-assessment is the initial step for companies looking to obtain PCI Level 1 certification,” he explained. “It is effectively a list of yes or no questions. For example, whether the company has firewall rules in place to restrict traffic to the minimum level required and, if so, if those rules are reviewed on a biannual basis. It boils down to three themes: policy, procedure and evidence. This is what an auditor will be looking for.”
Companies that are going through the certification for the first time use either a Quality Security Advisor (QSA) or an independent auditor. “QSAs or auditors through the company’s policies related to PCI controls then ask about the procedures in place around them and then for evidence to prove that the company does as it says,” said Kafer. “If the auditor finds problems early on they will dig and dig and dig. The job can then become more complex the auditor could suspect their client’s compliance to the controls will get worse as they further down the control list.”
In Kafer’s experience, clients are split broadly into three cateogories. There are those who have that have strong policies but may not be great at following them and therefore the evidence is weak. Others who might have strong System Admins and Development teams that produce great procedures but the policies are not there, and others that have neither.
The SAQ D for is time consuming and thorough. The Office Gurus discussion and preparation for the certification for their San Salvador office took almost two years including the self assessment. From an agent perspective, the company already did all it could by following PCI guidelines including being paperless, restricting access to the operational floor with fingerprint scanning, disabling all USB ports and controlling the agent environment through web filtering. But ICT staff and agent training, the updating of security software and carrying out peneration and ethical tests all took their tie.
“It boils down to three themes: policy, procedure and evidence” — Jason Kafer
“The process to cross the I’s and dot the T’s with the auditor took well over a year at our San Salvador center. This was after a decade of having followed all of the PCI compliance policies,” said Leide.
The process of checking and cross-checking evidence against policy and procedures also requires a huge amount of communication between auditor and client. That’s why on site audits often take three days to a week. Part of the reason for this is the flexibility that PCI guidance offers on some controls but not on others.
For some controls, like those regarding firewalls, evidence could be a sign off sheet from a system administrator or a JIRA ticket that shows the ticket was opened, the rules were reviewed, and the ticket was closed, explained Kafer. There are a variety of ways to satisfy controls that depend on the technology system the merchant has in place. But there are other controls that are set in stone and offer no room for error.
Kafer: “Some controls are clean cut and do not allow for interpretation. An example would the rule that the public-facing network of the company has to be scanned by a PCI-approved scanning vendor (ASV). The only evidence accepted here would be the scan results from an ASV that shows scanning is done quarterly.”
PCI and Work From Home
According to Kafer, everything revolves around the CDE, the ‘network’ that the client data flows through. If, for example, servers where client data is stored is not located at the same site as the employees, then the attention of the QSA is unlikely to remain fixed on the onsite space – they’ll be more concerned about the physical security of the data section. “There is a whole section on vendor management,” said Kafer, “the auditor will look at the AOC (Attestation of Compliance) to ensure it meets physical controls for the PCI audit but most data centers today have them.”
“The process to cross the I’s and dot the T’s with the auditor took well over a year at our El Salvador center. This was after a decade of having followed all of the PCI compliance policies” — Leide
However, if work from home agents are inputting card data onto their home computers or have access to any client data on their home computers then each one of those computers comes under the CDE scope. “The scope now changes to consider how the company maintains anti-virus and anti-malware software on each home computer, how they ensure the latest security patches are installed or how they manage access to that data if an agent is terminated. If the agents themselves do not have access to that information then they are not part of the CDE scope,” said Kafer.
Working from home remains a major part of The Office Gurus’ operations, with 100% of employees in El Salvador returning to their homes at one point last year. The company took steps to ensure that their agents did not have access to sensitive card data and though they did not fall within the scope of CDE, company procedures around access to data was tightened.
David Estrada, IT director at TOG, explained that the company undertook a number of strategies to guarantee cardholder security. One particular innovation was partnering with one of El Salvador’s major ISP providers to set up a direct dedicated connection between the company’s network and the agent’s home address.
“We have made a major investments in both hardware and software in order to provide a secure and reliable work from home solution for our agents and clients. In addition to the dedicated Internet connection we also invested in MikroTik routers, noise elimination software, and small UPS devices. All are configured first at our in-site facility before making their way to agents’ homes,” he said.
For Leide, the time and expense the PCI Level 1 certificate requires has been worth the effort. Even, as he explained, not many clients initially understand the difference between being PCI certified and simply compliant. “But once they understand that difference they realize it is a substantial distinction. Our client partners appreciate the investment we have made in terms of security, and it is one of the many things that separates us from other call centers.”