What is the role of user authentication in PCI compliance?
Passwords Just Aren’t Enough
Password phishing is up dramatically and new, more sophisticated phishing methods have emerged. It’s clear that passwords are highly susceptible to attack and agents can’t be trusted to employ best practices with regard to storing and changing their passwords, let alone protecting their PC from malware that could be used to snoop their passwords.
Two-factor authentication (using a password, something you know, plus a second method, such as something you have or something you are to prove a user’s identity) is the new standard.
Regulatory Compliance
Regulatory agencies agree that passwords are a weak link and are requiring companies to implement stronger authentication, particularly for remote workers. Depending on the industries served by the call center, a number of regulations may require them to apply strict standards for authenticating users, including:
• Payment Card Industry Data Security Standards (PCI DSS)
• Health Insurance Portability and Accountability Act (HIPAA)
• Authentication in an Internet Banking Environment Guidance (FFIEC)
• Sarbanes-Oxley
Traditional Two-Factor Authentication Solutions
There are a number of two-factor solutions available, but most are difficult and costly to deploy and maintain for remote call center agents. Tokens and other security devices must be provisioned and mailed to remote agents then replaced if lost of broken. Certificates can be hard to support on hardware that is not company-owned and maintained. Weaker security methods, like security questions, don’t stand up to the scrutiny of a compliance audit.
Telephones As A Security Device?
Particularly well suited for use with remote call center agents is a method of two-factor authentication that uses a simple phone call as the second form of authentication. The agent logs in just like they normally would with a user name and password, and instantly their phone rings. They answer and press # or enter a PIN to complete their login. If the agent is not logging in when they receive a call, they know that their user name and password have been compromised and can press the fraud alert option to block access and alert the I.T. team back at the corporate office.
Because the second factor of authentication occurs across a second network (the public telephone network), there is a significantly enhanced level of security. Both the agent’s internet connection and the public telephone network must be compromised simultaneously in order for the attacker to gain access using the agent’s account.
Cost Savings
With phone-based authentication, there are no devices, software, or certificates to deploy and maintain – it works with the agent’s existing phone. Users require very little training and almost no ongoing support – making phone-based authentication significantly less expensive to setup and maintain than other two-factor solutions.
