PCI compliance is the payment card industry data security standard or PCI DSS. These are the requirements established to ensure that everyone processes, transmits and stores credit card information securely. Merchants are assigned an ID or the MID. In 2006 PCI compliance standards were launched to help manage the evolution that was going on in the industry. Their focus was to improve security of account information in the payment processing system. An independent body manages and administers the PCI DSS but it is the responsibility of the payment acquirers and brands to enforce compliance.
All merchants and organizations have to comply with the rules of the PCI no matter the size or the company, how many transactions they process. In other words the PCI DSS requirements apply to any merchant who accepts credit or debit cards as payment.
In PCI compliance what is the role of user authentication? It is more than just passwords alone. The occurrence of password phishing is on the rise with more sophisticated ways to obtain passwords discovered. Passwords are vulnerable to agents and attacks and cannot be relied upon. Individuals are not diligent when it comes to setting, changing and storing their password information. That has resulted in two-factor methods of authentication. A two-factor system uses a password along with another second method way to prove your identity.
Compliance agencies realize passwords are week and are beginning to require businesses to require more secure authentication methods especially for employees who work remotely. There are many PCI compliance agencies that may be involved including the PCI DSS, HIPPA or Health Insurance Portability and Accountability, FFIEC or the internet Banking Environment Guidance, and Sarbanes-Oxley.
There are a variety of two-factor authentication methods for PCI compliance available. Many are very costly and hard to implement or maintain especially for call centers using remote agents. Other security devices like tokens would have to be mailed to the remote agent and replaced if broken or lost. It is difficult to support certificates if the hardware is not owned or maintained by the company. However, if you are ever to undergo a PCI compliance audit security questions will just not stand up.
An effective two-factor method especially for agents in remote call centers is a telephone call as the form of authentication for the second method. When the agent logs is with their login and password their phone will ring. When they answer the phone they are required to enter a pin number to complete the login. If they are not logging in when the phone rings they it is an indication that the user information has been compromised. Then IT can be alerted of the compromise and their information reset and access restricted.
This method of authentication is actually very advanced as a security control as it uses a public system, namely the telephone network. For there to be a compromise both agents would have to have their internet connection as well as their phone systems attached at the same time which is highly unlikely.
