It’s quite common for compliance to be overlooked in call and contact centres…
Or not have a complete understanding of what it takes to become and remain compliant.
Call centres collect a lot of data as a part of their customer services. The majority of this data contains bank account, personal and payment card details. Therefore it is absolutely essential that all call centres comply with PCI DSS requirements.
It is possible that call centres which accept card payments over the phone may not be sufficiently prepared to implement the criteria laid out by the PCI DSS. However, it is essential that they fully understand exactly what PCI compliance is, how to comply, as well as the ramifications for the company if compliance isn’t met.
What is PCI DSS Compliance
PCI DSS compliance relates to a company’s adherence to security regulations, which were created in 2004 and set to protect consumers against the misuse of their personal information, being shared during the purchasing process (IE – having their details of credit or debit cards stolen). The PCI DSS was created by five of the world’s largest credit card companies: Visa, American Express, MasterCard, JCB International and Discover Financial Services.
Why is PCI DSS Compliance so Important?
PCI DSS compliance is essential to any companies which wish to accept payment cards, transmit, process or store payment card data. Almost all businesses accept credit or debit cards as a form of payment, and therefore PCI compliance is essential for data security. Being PCI compliant will protect a company should a data breach ever unfortunately occur and a customer’s card data is leaked. The five main credit card companies recognise businesses that are PCI compliant and will strongly promote information security practices.
The Six Main PCI DSS Compliance Requirements:
- Secure Network: Companies who store sensitive cardholder information have an obligation to secure their network with robust firewalls and strict security controls.
- Encryption: Cardholder information stored on a company’s system must be encrypted.
- Security Software: Companies must protect their data against threats from malicious parties using antivirus software, anti-spyware programs, and other malware protection solutions.
- Restricted Access: Companies are required to restrict access to sensitive data to only those who need to access it.
- Network Monitoring: Network’s need to be tested regularly to ensure they remain compliant.
- Documented Security Policy: Companies should draw up and adhere to a formal information security policy.
Why Call Centres Fail with PCI DSS Compliance
One of the key areas of focus for PCI DSS compliance lies in call centres. Many companies still take a significant number of their payments over the phone, rather than via web-based methods.
A contact centre faces a unique challenge of an insider threat where the call centre operator needs to protect the customer data not only from potential hackers, but also from rogue employees, or those who fall victim to blackmail from outside manipulation.
Commonly Used Methods of Compliance & Do They Work?
Pause & Resume
Pause & Resume is easy to implement, but when it is used alone, it does not make telephone payments PCI DSS compliant. While the Pause & Resume method does stop the sensitive data being recorded, it does expose the agent who handles the call therefore it is wide open to manipulation from rogue call centre agents. It also exposes the company’s computer and phone network.
It’s incredibly hard to monitor and guarantee that correct protocols are followed. It also fails to address the plethora of approximately 300 other requirements needed to be compliant. All of which leaves a business open to contact centre fraud.
Additional downsides of the Pause & Resume method include:
- Difficulties when you need to upgrade your telephone or IT systems.
- Difficult to make Pause & Resume automated. It is possible operators could forget to initiate the pause.
DTMF (Dual Tone Multi-Frequency) Payments
Another common method of trying to ensure the security of customer data over the phone is to utilise dual tone, multi-frequency (DTMF) technology. This allows customers to be put through a secure, locally hosted or cloud-hosted platform that disguises their keypad inputs from the agent on the other side of the phone.
The problem for call centres is that while DTMF has been widely adopted, there are some people who are incapable of using a keypad, which means call centres can struggle to comply for around 5% of the population.
In-house security systems are required in order to maintain PCI DSS compliance, these can be very expensive and difficult to maintain. Outsourcing can also be a costly answer. Therefore, this leaves call centres with the decision on how to balance compliance with budgets.
Ramifications of Non-Compliance
There are many different consequences for non-compliance of PCI DSS, and this is not only monetary. There could be data breaches of a company’s internal data, legal action, irreparable reputation and even revenue loss.
Some other consequences could be:
Monthly Penalties: There are significant financial penalties that could be put forward by the main credit card companies. These penalties will depend on the volume of transactions, in order to determine the level of PCI DSS compliance the company requires. For example, if a level-1 PCI DSS required company is not in compliance for 7-months, they could be fined a significant sum of money (up to £60,000) per month for that period.
Reputation: If a client’s card information is put at risk, it can result in irreversible damage to the reputation of the company. Once it has been made clear to the public that your security has been breached, it can be difficult for clients to begin trusting the business again.
Legal: Lawsuits can be opened against the company, and is quite common. Historically, businesses have had to pay out tens of millions when putting customers’ bank cards at risk in lawsuits.
Revenue Loss: Not only can you risk the loss of reputation as a business, but history has shown that companies involved in data breaches due to non-compliance see their revenue drop dramatically due to a loss of customers. In 2013, Target was sentenced to over £12m for a data breach that affected around 40 million customers. This then also led to the merchant losing over £300m in revenue in the quarter following the breach.
How To Make Your Call Centre Compliant
While it might seem a complex problem to get your call centre PCI DSS compliant it’s actually not true. PayGuard® has been developed for exactly this situation providing technology that makes you Level 1 PCI DSS Compliant. Our user interface is incredibly user friendly and takes minimal training for your agents. It will also work with existing telecoms systems and has the added benefits of additional features such as multi-channel payments and compliance with GDPR, PSD2 and SCA.
Below we have shared a video that shows just how quickly a payment can be taken which is completely PCI Compliant. Alternatively, if you want to find out more about how PayGuard® works then just click here.
We know that all businesses are not the same and you may have a question about how technology like PayGuard® can work for you. So please feel free to reach out for a no-obligation chat by filling out the form below.