The Coalfire Blog

Welcome to the Coalfire Blog, a resource covering the most important issues in IT security and compliance. You'll also find information on Coalfire's insights into the unique cybersecurity issues that impact the industries we serve, including Cloud Service Providers, RetailFinancial Services, Healthcare, Higher Education, Payments, Government.

The Coalfire blog is written by the company's leadership team and our highly-credentialed security assessment experts.

The Coalfire Blog

Compliance Talk: Debt Collectors and PCI

May 06, 2013, Ken Ballard,

Bookmark and Share

Ken Ballard

As the largest IT audit and compliance advisor in the U.S., Coalfire is exposed to a wide variety of compliance concerns.  In this series of Compliance Talk blogs, Dirk and Ken are back at their favorite coffee shop…the Bean and Berry in Louisville, Colorado.   Over a couple cappuccinos, their discussion turned to some of the unique aspects, when it comes to data security, of debt collection companies.  

Dirk, why is managing PCI compliance for debt collection companies one of Coalfire’s specialties?

Well, I do it because I’m still trying to get back that $10 you owe me for lunch last week!

Hey, I paid that back…didn’t I?

You never pay me back!  Anyway, to answer your question, as you know, Coalfire supports call Centers and has many large and small clients in that industry.  Debt collectors are an extension of that, right?  They are a specialized form of a call center.

So are their issues the same as any call center?
They generally have the same issues as any call center.  All the concerns around recorded conversations and whether those are searchable commonly apply to debt collectors.  But dealing with bad debt and collections brings in more security concerns.  In addition, some debt collectors are probably better thought of as debt buyers.  That is, they aren’t collecting debt on behalf of someone else and taking a percentage of the collection.  Rather, they buy the debt at a steep discount and then collect it.  That brings up other issues unique to that model, too.  

What kinds of issues do they both face?
Well, debt collectors work with a lot of credit card data in the debt itself.  Debt collectors frequently have a wide span of information about individuals, usually including details on several credit cards.  So, while call centers may have credit card data occasionally, depending on their business model, debt collectors usually have credit card data in almost every situation.  And frequently, the full-track data information is known, particularly for debt buyers.

Another interesting item is that the credit card number is often considered “dead” because of the bad debt.  That is, the bank will cancel the card and account.  PCI requires you to only protect active PAN (primary account numbers).

So they don’t have to worry about PCI?
You would think so, but what happens is that it’s possible that the bank may re-use that credit card number.  It’s amazing but banks typically won’t formally confirm that a number is permanently inactive.  So that pulls the company back into PCI compliance scope.  

It sounds like their PCI exposure is low then, right?
Well…keep in mind they have huge amounts of credit card data.  Virtually every account they are working on has credit card data.  So the risk exposure can in fact be high.  Because debt collectors often don’t know when a credit card number may be re-used, a best practice is to treat all credit card data as protected under the PCI requirements.  

Do debt collectors actually take credit cards as payment?
Depending on the business model, they might.  Generally not, though…which I think is another interesting concept in this business.  They have all this card data, but it’s not used for its primary function.  They really have it for historical evidence of how the debt was incurred.  Because the collection is inherently confrontational, the debt collector needs all the details at their fingertips as they work through the collection process with the individual, not to mention if they go to court.

Court?  Hmmm…that seems like it might bring up more concerns, right?
Yes, it does.  If a collection goes to court, it may become public record.  That messes up whether the card data is still protected.  Keep in mind that PCI regulations do not trump state law.  So we’ve seen a variety of conflicts over this.  We’ve also seen situations where a breach occurs at a debt collection company, and although they believe the card data is inactive, they still need to notify the consumer because of state law.   

So, PCI is just the beginning?
Exactly.  Depending on the nature of the data, there can be a lot more concerns over the PIFI (personally identifiable financial information).  We work with several collectors of student loans, which can bring up FISMA compliance concerns since they share information with the federal government.  And it goes beyond just the financial information.  A lot of our clients have Protected Health Information or PHI.  That’s a common cause…I think the most common cause…of debt problems, right?  That falls under HIPAA regulations.  The requirements are really tied to the nature of the data.  Large debt collectors have the most challenges because they get all sorts of data.  Smaller debt collectors may specialize in a particular industry and hence have fewer compliance concerns, but it’s not necessarily easier to manage.

Are there others in the debt collection world…service providers for example…that need to be concerned about this?
Absolutely for service providers.  The same rules apply and they get more stringent all the time.  We’ve seen that recently with the HIPAA Omnibus Rule, which definitely brings debt collectors under the HIPAA regulations as business associates.  And it can go the back up the food chain…which is a unique twist when it comes to risk management.  The Consumer Finance Protection Bureau says that the originator of the debt is still liable for protection of the data, even though they may have sold it to a collector.  So the risk can be very difficult to manage.

Wow…there’s a lot to it.  What recommendations do we have for our clients?
Well, like all of our clients, our debt collector clients span the range of size and complexity of data.  First, the client must identify the nature of the data and risk associated with the different data elements.  Second, access to the data must be tightly managed.  Because of the diverse nature of the data, we recommend that our clients treat all the data as protected.  But that doesn’t mean you can’t isolate the data and reduce the footprint.  

Isolate?  So lock it down like Fort Knox?
Exactly!  This can be done at the architecture layer and the application layer, and then limit who has access to which data elements.  As we mentioned, the sensitive data generally can’t be eliminated, but you can restrict access to it.  Most likely, collection agents don’t need full PAN, for example.  They would only need truncated or masked data.  Some applications do this reasonably well if the underlying architecture is handled correctly.  The full data is in a higher protection zone, making it extremely difficult for anyone to steal data in bulk.  

Once that exposure is limited, the compliance framework comes into play.  This is driven by best practices and the specific regulations.  Once the compliance framework is in place, the client can achieve compliance and get certified for the applicable regulations.

I know first-hand that many of our debt collector clients are seeing compliance now as a benefit, right?
They are.  Our clients are taking advantage of compliance to expand into new areas with a high degree of confidence.  For example, if you invest in complying with PCI, it doesn’t take much to extend that investment to the protection of PHI and HIPAA compliance.  We are seeing this more and more where a debt collector client builds their business by expanding into new data sets that other companies may shy away from.

Plus, good risk management means they sleep better at night, right?
We all do!  Speaking of risk, what about my $10?  I’m never going to see that again, am I?

Tell you what…I’ll pay for our coffee and we’ll call it even.  Thanks, Dirk…this has been fun and informative!

<< Go Back

Blog post currently doesn't have any comments.

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS