The onsite assessment, which must be completed by a PCI QSA (Qualified Security Assessor), will validate compliance with the twelve requirements set forth in the Payment Card Industry Data Security Standards. The PCI DSS requirements are designed to provide increased controls around data and its exposure to compromise.

The Solution:
Before choosing PhoneFactor, Regis had struggled with the difficulty of using tokens and other two-factor methods. Their non-technical users found these solutions challenging and the IT department was spending far too much time supporting them. Regis wanted a turnkey solution for remote access that would be easy for their non-technical users to manage and minimize back-end support needs.

It was also critical that Regis fill the gaps in their PCI DSS compliance. One of those was section 8.3 requiring two-factor authentication. PhoneFactor’s quick and easy implementation made checking off this requirement painless for Regis.

Using PhoneFactor has already affected the way business operates at Regis. “It’s no-hassle security, and has reduced the complaints to the Help Desk about access issues,” said Joel Wiens, Vice President of Information Technology for Regis. “It has worked just as we hoped and was an easy transition.”

In fact, Regis noted numerous benefits by switching to PhoneFactor’s two-factor solution:

• Decreased Deployment Timeframe: Deploying to a remote audience can be challenging. Regis rolled out PhoneFactor quickly, first as a pilot and then through their normal ongoing cycle of hardware and software updates.
• Increased User Response/Adoption: Regis users found PhoneFactor to be much more convenient than fob-based tokens. In fact, it was so easy that they trained their staff via memo only.
• Ongoing Reduced Costs: With PhoneFactor, there is virtually no maintenance for the IT staff at Regis, significantly reducing their total cost of ownership.
• Increased Security: Regis recognizes the absolute need for two-factor. In addition, PhoneFactor’s instant fraud alerts provide much needed additional protection. This feature is even recognized in Regis’ official incident response plan.
• Easy Expansion: PhoneFactor makes roll-out to additional users simple. And Regis plans to evaluate PhoneFactor for additional uses within their organization.

Heartland recently announced that it expects to take a significant loss in Q3 resulting from more than $12.6 million dollars in fines from Visa and Mastercard, legal fees, and administrative costs. Given that 65% of the cost of a typical data breach is due to lost business from new and existing customers, none of which is included in the $12.6M figure, this may be just the tip of the iceberg for Heartland.

Pained over the cost of compliance? It’s nothing compared to the cost of a breach. Ask Heartland.

Two-factor authentication (using a password, something you know, plus a second method, such as something you have or something you are to prove a user’s identity) is the new standard.

Regulatory Compliance
Regulatory agencies agree that passwords are a weak link and are requiring companies to implement stronger authentication, particularly for remote workers. Depending on the industries served by the call center, a number of regulations may require them to apply strict standards for authenticating users, including:
• Payment Card Industry Data Security Standards (PCI DSS)
• Health Insurance Portability and Accountability Act (HIPAA)
• Authentication in an Internet Banking Environment Guidance (FFIEC)
• Sarbanes-Oxley

Traditional Two-Factor Authentication Solutions
There are a number of two-factor solutions available, but most are difficult and costly to deploy and maintain for remote call center agents. Tokens and other security devices must be provisioned and mailed to remote agents then replaced if lost of broken. Certificates can be hard to support on hardware that is not company-owned and maintained. Weaker security methods, like security questions, don’t stand up to the scrutiny of a compliance audit.

Telephones As A Security Device?
Particularly well suited for use with remote call center agents is a method of two-factor authentication that uses a simple phone call as the second form of authentication. The agent logs in just like they normally would with a user name and password, and instantly their phone rings. They answer and press # or enter a PIN to complete their login. If the agent is not logging in when they receive a call, they know that their user name and password have been compromised and can press the fraud alert option to block access and alert the I.T. team back at the corporate office.

Because the second factor of authentication occurs across a second network (the public telephone network), there is a significantly enhanced level of security. Both the agent’s internet connection and the public telephone network must be compromised simultaneously in order for the attacker to gain access using the agent’s account.

Cost Savings
With phone-based authentication, there are no devices, software, or certificates to deploy and maintain – it works with the agent’s existing phone. Users require very little training and almost no ongoing support – making phone-based authentication significantly less expensive to setup and maintain than other two-factor solutions.

Control Objectives PCI DSS Requirements

The standard is maintained by the Payment Card Industry Security Standards Council, which maintains both the PCI DSS and a number of other standards, such as the Payment Card Industry PIN Entry Device security requirements (PCI PED) and the Payment Application Data Security Standard (PA-DSS).

Validation of compliance can be performed either internally or externally, depending on the volume of card transactions the organisation is handling, but regardless of the size of the organisation, compliance must be assessed annually. Organisations handling large volumes of transactions must have their compliance assessed by an independent assessor known as a Qualified Security Assessor (QSA), while companies handling smaller volumes have the option of self-certification via a Self-Assessment Questionnaire (SAQ). In some regions these SAQs still require signoff by a QSA for submission.

The Business Challenge:

West At Home, a division of West Corporation, is the nation’s leading provider of outsourced communication solutions. They are based in the Midwest, but have thousands of agents across the United States that work from home taking calls from consumers – processing orders or providing customer service and support to West clients from a wide range of industries, including retail, healthcare, communications, and travel/hospitality. This means that any information that the agents enter into their computers via their remote network must remain secure to protect the consumer’s personal and payment information, which required compliance with the PCI Data Security Standards. West, like many call centers, faced certain challenges in maintaining this security.

• Strict Industry Regulations: Because agents often take credit card information, West had to follow industry regulations like PCI DSS, which requires two-factor authentication to secure access to networks where credit cards are processed or stored. But depending on the particular industry focus the agents had at any time, they might also have to comply with HIPAA or FFIEC regulations, among others.
• Use of Personal Computers: Because these agents work from home on their own equipment, requiring users to install software or certificates on their personal computers would require a material amount of IT support and ongoing maintenance.
• Employee Turnover: The call center industry typically experiences a heavy turnover. Any solution had to be one that was easy for the home agents to implement, and very streamlined for West IT to deploy and maintain.

The Solution:

PhoneFactor understood West At Home’s issues. Our secure two-factor authentication service provides everything they need while using the agent’s best tool of the trade – their phone.

• Easy setup and deployment – No tokens to mail or certificates to install
• Rapid compliance with PCI, FFIEC, HIPAA and other industry regulations
• Instant integration with leading remote access products
• Centralized user management leveraging their existing Active Directory

PhoneFactor integrates with West’s existing systems, enabling rapid setup and deployment. And because it synchronizes with their Active Directory, provisioning and managing users is seamless. PhoneFactor is so easy that training is accomplished through an automated email. And PhoneFactor is significantly cheaper than other two-factor solutions on the market that meet the compliance guidelines necessary for West.

“The PhoneFactor solution gives us the strong two-factor authentication that we need to meet the industry’s strict regulatory requirements. PhoneFactor fit all of our requirements and gave us a great alternative to costly security token solutions.” – Rachel Roberts, Information Services Project Manager, West Corporation

Hosted by James Hilliard for TechRepublic and featuring guest speakers Steve Dispensa, Data Security Expert, CTO and co-founder of PhoneFactor and Bernie Rominski, IT Security Officer at Regis Corporation, the world’s largest operator of hair salons, this Webcast will explore the challenges of meeting compliance requirements, particularly those related to user authentication. Join the Webcast to learn:

• The basic history of and requirements for PCI DSS compliance
• The unique challenges companies face in implementing stronger user authentication
• How PhoneFactor, a simple phone-based two-factor authentication system, helped Regis enable rapid, cost effective compliance with two-factor requirements

Register Now for this Free PCI Compliance Webcast

First Name:		Last Name:
Phone Number:		Email:
Job Title:		Company:
Number of Employees:	---1-5051-100101-250251-10001001-50005000+	State
All fields are required.

The Council previously announced the summary of changes between version 1.1 and version 1.2 to ensure awareness of the coming latest changes to the standard. Version 1.2 includes clarifications and explanations of the requirements that improve flexibility to meet today’s security challenges and ensure organization’s can adequately comply with the standard. While version 1.2 does not introduce any new major requirements to the existing 12 in place since the Council’s inception, the updates do change some practices, such as the sun-setting of implementations of Wired Equivalent Privacy (WEP) wireless security by June, 2010.

“This latest revision to the PCI DSS is welcome news for merchants and service providers as they grapple with the latest security threats to their payment transactions systems,” said Diana Kelley, partner and analyst with SecurityCurve, a data security consultancy. “The clarifications and language revisions should go a long way in easing implementation questions and help to reduce compliance costs.”

Since the Council’s inception in Sept. 2006 and the release of version 1.1 of the PCI SSC, its Participating Organizations and Board of Advisors have been providing feedback on the standard, with global industry input into the revisions. This follows the established lifecycle process that will ensure that the PCI DSS standard is revised and updated on a two year cycle. Participating Organizations are given the opportunity to receive early drafts of all pending revisions to the Council’s standards and provide a bulk of the feedback during this process. PCI DSS version 1.2 was the primary discussion topic at the Council’s recently concluded and successful community meeting in Orlando, Fla., in which more than 500 attendees came together to begin the process of strengthening the standards even further.

“It is especially gratifying to know that version 1.2 of the PCI DSS is inclusive of global industry feedback,” said Bob Russo, general manager, PCI Security Standards Council. “This ensures that we continue to offer merchants and service providers a pathway to protect cardholder account data that is sensible and achievable.”

For More Information:
More information on the PCI Security Standards Council and becoming a Participating Organization please visit pcisecuritystandards.org, or contact the PCI Security Standards Council at participation@pcisecuritystandards.org.

About the PCI Security Standards Council
The mission of the PCI Security Standards Council is to enhance payment account security by driving education and awareness of the PCI Data Security Standard and other standards that increase payment data security.

The PCI Security Standards Council was formed by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. to provide a transparent forum in which all stakeholders can provide input into the ongoing development, enhancement and dissemination of the PCI Data Security Standard (DSS), PIN Entry Device (PED) Security Requirements and the Payment Application Data Security Standard (PA-DSS). Merchants, banks, processors and other vendors are encouraged to join as Participating Organizations.