What security software / firewall to use for agents making sales calls

penguinbc

penguinbc

New member
Sep 2, 2007
485
17
0
So I have a group of agents who make outbound sales calls to prospects and take credit card orders over the phone (Hosted third party VOIP) and I want to make sure that we are covered as far as security goes.

Right now I just have Norton setup on all the machines with the firewall turned on, and they are all on windows 7 limited access accounts and cannot install anything. I also have them set to auto-update windows and the security software with real time scanning on.

I want to make sure I am doing everything the right way and want to be PCI-Compliant. Is there better security software I should be using for the machines? Should I buy a physical firewall as well? Right now it is just a few agents but I will be expanding to more soon. I want to get it setup the right way before I have a dozen or so agents already.

I'm thinking eventually with more agents I would have them all plugged into a decent switch, that is plugged into a good physical firewall that has the T1 line plugged in. I'm guessing I would also have good security software installed on all the machines, but I am not sure what the common security software is for call center/credit card order taking environments. Any help or specific recommendations would be greatly appreciated, I know there are quite a few people here who have experience in this.
 


Are you storing the credit cards? Are you storing recorded phone calls with people saying their credit card number? If so, you're going to have a ton of stuff to do before you could make it PCI-compliant. Depending on your level you're going after, you probably need it hosted in atleast a SAS70 certified facility (so machines are secure from a physical breach), the cards need to be encrypted on a database that is not accessible from the internet, firewall logs need to be verified every 12 hour period, physical firewall and physical machines (meaning no virtual machines), only certain employees have online access to the servers, latest patches on all servers, and the list goes on and on.
 
danej said:
Are you storing the credit cards? Are you storing recorded phone calls with people saying their credit card number? If so, you're going to have a ton of stuff to do before you could make it PCI-compliant. Depending on your level you're going after, you probably need it hosted in atleast a SAS70 certified facility (so machines are secure from a physical breach), the cards need to be encrypted on a database that is not accessible from the internet, firewall logs need to be verified every 12 hour period, physical firewall and physical machines (meaning no virtual machines), only certain employees have online access to the servers, latest patches on all servers, and the list goes on and on.
Click to expand...

No storing of credit cards and no storing of recordings, its all a hosted VOIP solution. Uses a secure website to process the orders.
 
Firewall is useful, but won't help you protect the data. You need a Data Loss Prevention DLP solution. It should be installed on individual systems, then managed central via policies that fits your environment. For instance, it won't allow credit card and related data to be sneaked out via email, web, USBs and the like. Anti viruses are good, but they are always chasing the next malware - reactive. For sensitive data, you need that extra layer, DLP.
 
seohug said:
Firewall is useful, but won't help you protect the data. You need a Data Loss Prevention DLP solution. It should be installed on individual systems, then managed central via policies that fits your environment. For instance, it won't allow credit card and related data to be sneaked out via email, web, USBs and the like. Anti viruses are good, but they are always chasing the next malware - reactive. For sensitive data, you need that extra layer, DLP.
Click to expand...



Yep - the Watchguard does DLP at the router. But you still need endpoint security to stop people sticking stuff on USB sticks.

For that we used Safend Endpoint Security

Watchguard + Safend = pretty sold security protection.
 
I appreciate the responses.

Close supervision is really big with me as well because despite having all the software and hardware in place, it still does not prevent employees from writing down information.

With close supervision and the above mentioned recommendations I am pretty confident I should be going in the right direction.

Thanks
 
You must log in or register to reply here.
Top Bottom
Back