How to Protect Tenants’ Data

The National Audit Office has reported that crime targeting ‘card not present’ (CNP) transactions in the UK last year rose to over £506 million and represented 75% of all card fraud.  This is set to increase to £680 million by 2020.  

Some major, household names such as British Airways (£183m fine) and Marriott Hotels (£99m fine) have been subject to significant data breaches in the past 12 months.  Even for these well-resourced organisations, protecting sensitive data properly presents significant challenges and failure to do so can result in huge fines.  Potentially any organisation taking card payments over the telephone, web or mobile app, are at risk.

The Payment Card Industry Security Standards Council (PCI SSC) is a global authority that develops, improves and promotes understanding of the standards for payment security.   If you are a merchant that accepts or processes payment cards, then the Payment Card Industry Data Security Standard (PCI DSS) applies to you.

So how can organisations comply and address the growing risk of CNP crime in order to keep customers’ data secure?

Firstly, it is important to recognise that the moment card information enters the organisation you’re at risk from attack.  Criminals target the weak links which can include rogue agents, PCs, mobile devices, servers, recorded data storage, transmission of data to partners or remote access connections. Therefore, step one to secure data, is to understand where your organisation is vulnerable and where card holder data is held.

The second stage is to fix areas of vulnerability and secure business processes.  This is an ongoing and detailed process which needs to include: operating secure networks and systems, maintaining a vulnerability management programme, implementing strong access controls, regularly monitoring and testing networks and systems and maintaining an information security policy.

Thirdly, assessments and remediation must be documented.  Compliance reports must be submitted to the acquiring bank and the card brands you do business with.  However, box-ticking keeps no-one safe.  Even if your software is Payment Application Data Security Standard (PA-DSS) certified, it does not absolve your organisation from overall PCI DSS compliance as it only applies to software and not organisations. You still need to make sure that the remainder of your contact centre is PCI DSS compliant.

The challenge is that security is difficult to maintain, and often in-house resources are not sufficient to face the constantly evolving threat.  Therefore, the best strategy is to remove the threat from the contact centre environment by keeping the data out completely.  If there is no data to steal within your environment, then criminals will not pose any risk to your organisation or tenants.

Outsourcing everything to a compliant contact centre will achieve PCI DSS compliance but this can be costly.  A more economical alternative is technology which allows all sensitive data to bypass your systems and people completely.  The right solutions can avoid sensitive card data from being heard or seen by your agent and from being stored on your systems.  The best ones are cloud based so can be deployed without any changes to your systems at all.

A new free guide has been launched to help organisations that handle payment cardholder information which covers the often-complex subject of PCI SSC compliance in more depth and some of the solutions available to keep sensitive data out of the contact centre.

To download the free guide, please visit:

By Simon Cook, Head of Compliance, allpay Ltd

Simon Cook, Head of Compliance, allpay Ltd has worked at payment specialist allpay for almost 17 years and has extensive experience of developing and leading compliance, security and risk management functions throughout an enterprise.