Agile Payments has been supplying various types of payments related tools for 20+ years, and one of those tools is Interactive Voice Response which allows companies to collect payments over the phone using automated IVR Payment technology.
Recently we retained Ernest Park of Airius Internet Solutions for assistance in security documentation and consulting around an IVR system that we supply to clients around the globe. Ernie is a cyber security expert that has experience with both PCI compliance, HIPAA compliance, assessing technology based platforms and providing those platforms with direction towards achieving their security concerns. You can read more about Ernie from his LinkedIn page and website.
Following are some questions around security topics that surround payments within the use of an IVR technology tool and Ernie’s answers.
Q (Agile Payments): There are a number of platforms, and not just as it relates to IVR, that tout themselves as “PCI Certified.” Because there is no governing body that issues PCI certifications, what are those companies really referring to?
A (Earnest): Compliance is based on the “honor system”. Certain types of PCI certification require a certified assessor to validate. Security management is more about a management practice, not a point in time. Honor system is appropriate for these kinds of transactions. Additionally, clients should update their own PCI certification or SAQ following configuration of an IVR payment proxy. In this case, the certification obtained will define the requirements. Since the IVR payment proxy is merely a service framework, the cardholder data is never directly requested by the IVR service provider. The client uses the framework to access the data in a manner compliant with security and information security requirements.
Validated compliance is a process by which a PCI qualified security assessor audits a given technology platform. A client who uses an IVR payment gateway may need to update PCI certification with a qualified security assessor.
Q: You recently created quite a number of Policy documents surrounding the IVR solutions that we provide to our clients and prospective clients. What is the importance of these policy documents as it relates to a given client of Agile Payments?
A: It is important to understand risk and what it means to a business. Policies express how a business will consider operation conditions. PCI aligns loosely with ISO standards and the risk domains. An operation that has policies defined within specific domains has taken the time to understand those things that are important to the operations of the business, those things that can impact that business and steps that are being taken to accept risk, mitigate threats, resolve impacts and reduce exposure.
Policies represent rules within which the business operates. While the rules may not always be adhered to exactly, the rules represent an awareness and define processes for observation.
Defined and implemented risk policies represent a maturity in operational management. Most businesses develop products and solutions, get them done, then reluctantly audit them for any apparent exposure. Proactive versus reactive risk management is a way to understand threats to an operation, threats imposed by vendors and service providers and threats that could be propagated to clients.
The process of defining current policies and auditing compliance to them increases awareness of those things that can impact the business, the exposure of sensitive data and the need to be aware of technology threats at all times. This awareness makes an IVR platform a better custodian and advisor to clients and helps them to understand how best to direct their use of IVR technologies while managing exposure.
Q: One of those policy documents was about Zero Knowledge Architecture (ZKA). Can you explain to the layperson, i.e., a business managerial type, what ZKA is and why it’s important or advantageous to be used within an IVR platform?
A: A hosting provider like an IVR platform cannot lose what they don’t have. A hosting provider does not need to protect what does not exist. The best practices for using the IVR platform recommend reducing requests for sensitive and cardholder data. It is better in practice to reference data only known to the client and the cardholder, and only ask for confirmation. If the complete data is required, this can be collected temporarily. The client is advised to dispose of this value immediately upon payment submission. By default, the session data is destroyed as soon as the session is terminated.
Zero Knowledge is an empty safe. To an external observer, the contents of the safe are worthless and not associated with anything specific.
An IVR architecture that is designed to audit for unwanted sensitive information. While it is possible to request such information, such potentially sensitive data is filtered.
Clients are alerted that sensitive information is being requested.
A ZKA IVR framework never stores sensitive data and the IVR hosted framework does not have a searchable database.
Q: What should a prospective client be looking for when it comes to data security in an IVR platform that is used for collecting payment related data?
A: No storage of sensitive data. A ZKA IVR system’s infrastructure exceeds PCI standards in design and implementation. IVR payments transactions use carrier networks to send tones. These audio tones are converted to digital data. Critically important, a ZKA system converts the tones to data in an isolated process as the request is submitted to the payment processor.
The data associated with the cardholder can be held for the duration of the IVR session or optionally deleted and overwritten immediately upon submission. This means that the cardholder data exists on a single process, using temporary memory while the values are submitted for seconds before the information is irretrievably overwritten by design.
An IVR payment processor is a hosted service that facilitates communication between payer and payee. There should be no persistent data within the architecture and no information shared across processes. By having isolated execution and no shared memory, the IVR payment process only knows what is provided by the payer and payee during the session and nothing more.
Q: Over the last week you have mentioned that “No Touch” Service Frameworks will be increasingly adopted in the near future. What advantage does this have for IVR payments related technology and what is it?
A: Concerns regarding diseases that spread in the air and through contact have increased demand for Low Touch and No Touch technology.
IVR provides a convenient way to conclude transactions between vendors and customers, healthcare providers and patients, sellers and cardholders. Customers can acknowledge transactions, confirm appointments, approve payments and interact with a business without touching public terminals or interacting face to face with representatives. The latest threats to health are forcing businesses to adopt creative ways to do business.
No Touch will be a standard. Businesses that allow their customers to quickly use an IVR interface to confirm a transaction will have an advantage. Customers need to interact with businesses. No Touch provides a way that customers and vendors can maintain a personal relationship considerate of disease fears and new regulatory conditions.
Q: You are now working on a Technology Innovation Program for IVR. Can you tell the readers what it is, what the benefits are and any background of where you have worked with it in the past?
A: The IVR payment framework offers compliance with existing and newer technology. Clients may require compliance with certain standards due to regional, legislative and contractual commitments. The IVR payment processor can assist with the client (payee) completing audit as required for TIP and P2PE certification.
Technology Innovation Program - alternative to PCI-DSS favoring clients who transact at least 75% of payments through VISA. Requires secure transaction compliant with P2PE PCI standards, reduces ongoing PCI compliance and audit requirements.
P2PE PCI - Point to Point Encryption PCI. New data security standard.