Contact CentrePCI CompliancePhone Payments

GDPR and Payments

By December 12, 2019March 17th, 2020No Comments

Affecting Contact Centres

The GDPR (The General Data Protection Regulation) aims to strengthen and unify data protection around personal data, comprising of 99 articles which intend to inspire confidence in customers that businesses can process their data while keeping it safe in terms of storage and use. It replaces the Data Protection Act in May 2018.

Failure to comply with the requirements for GDPR regarding the protection of customers’ personal data can result in serious consequences for organisations, including fines of up to £20milion or 4% of turnover (whichever is greater) in the case of a data breach or the failure to report one within 72 hours.

So What Does This Mean For Contact Centres?

Over and above the impact that the GDPR will have on general areas of a business, with regards to capturing, storing and transferring data, it has serious implications for taking payments and call recording.

Data security will need to be at the heart of any new project or system that a contact centre is considering implementing and, likewise, all existing software within the contact centre needs to be audited so that personal data is handled correctly.

In particular, if your contact centre processes payment card transactions then these details need to be protected accordingly. This is where separate legislation, the Payment Card Industry Data Security Standard (PCI DSS), becomes important.

Features Header image 2

The Relationship Between the GDPR and the PCI DSS 

mobile payment header pic

Both PCI DSS and GDPR intend to improve customer data protection. PCI DSS focuses on payment card data while the GDPR focuses on personally identifiable information. However, even though there is notable overlap there are significant differences in terms of how the two are phrased.

The good news for organisations that are already PCI DSS compliant is that the GDPR is less prescriptive than the PCI DSS. The GDPR lays out what organisations need to do but does not spell out precisely how. In contrast, PCI DSS specifies but what needs to be achieved and how it should be achieved, laying out a clear methodology and providing regular updates for achieving card data security.

Protecting Customers and Staff

The greatest data protection risk for a contact centre is agent handling of data, whether due to mishandling of card details or infiltration by organised criminal groups. The cost of training and educating your staff on the risks involved can be invaluable, along with the implementation of technology which completely removes sensitive card data from the scope of your contact centre agents.

Remember that the buck stops with the merchant to ensure PCI DSS compliance and the same will be true for GDPR. It’s impossible to simply hand responsibility over to a third party, it is the responsibility of an organisation to identify how it manages data. However, taking a lead from PCI DSS and working with the right people can go a long way towards compliance and low-stress adjustment.

Like PCI DSS compliance, the responsibility for GDPR cannot be entirely taken out of the hands of the contact centre. However, the amount of effort required can be dramatically reduced by working with a PCI-DSS Level 1 trusted partner. A trusted provider can ensure that you are compliant in the contact centre and it’s a great place to start your GDPR project.

Our Solution

Our expert telecommunication and software developers have created PAyGuard®, makingh processing card payments simple and secure for customers and for staff. By ensuring that agents, and the entire organisation in fact, is out of scope in terms of PCI compliance, this technology helps a contact centre’s GDPR plan.

When making a payment over the phone via PayGuard®, a customer enters their payment details via the telephone keypad to complete the transaction. While the contact centre agent is aware the transaction is occurring (and can still engage with the customer if required), they are not able to see or hear the card data at any stage, removing insider threat risk posed by the agents. Additionally, with no payment data on site, the contact centre’s obligations regarding PCI DSS are significantly reduced, leaving just one of the 12 requirements in scope for the merchant; requirement 12- “maintain a policy that addresses information security”.