Probably one of the most difficult questions for you guys to answer, “How can the contact centres be made PCI DSS compliant?”
It can be a really arduous task. The first thing to understand is what kind of level of compliance you would have to have. For our customers, there’s usually a couple of choices.
Level 1 Merchants
We have the most complex, which is the level 1, but that’s not the majority of our clients. Most of our clients would fall under a lower volume. To give you an idea, merchant level 1, you have to do two million card payments on either Visa or MasterCard. It’s not even combined so it has to be on either one. That’s obviously a very particular client set. When you get to that level, you have to have your entire operation assessed by a QSA. You have to get an accreditation assessment, you have to have pen testing, on-site testing, staff interviews.
It’s incredibly expensive, incredibly arduous. It takes around a month each year to maintain that. We know that ourselves because that’s what we are. We are a level 1 because we take over two million transactions in process. We have to be assessed, all of our staff have to be interviewed to make sure we comply to the absolute highest level of PCI.
Level 2 – 4 Merchants
Levels down from that, there are levels 2-4, and they drop basically by the volumes. If you’re a low volume user, you’re a lower risk. Level 2 would be up to a million transactions and stepping down from there. Most of our customers can actually do what’s called a self-assessment, or an SAQ, that allows them to go into a portal, answer a series of questions and you don’t use a provider like us, it’s about 250 questions.
If you use a provider like ourselves and you remove as much risk and scope as you can, that drops from the 250 to around about 12-14 questions and you can become accredited very, very quickly.
Self Assessment Questionnaires
It is interesting to point out that in the trade we’re in and the people we compete with, there are people at the same level as ourselves. We come across a tremendous amount of providers who are a lot smaller, and sub one million, or 500,000 transactions, and they actually themselves use an SAQ and self-certify so that the solution they give you hasn’t been accredited or assessed by an assessor. Just something you should perhaps be wary of when moving forward.
Third-Party Service Provider
Getting compliant the best way, work with somebody else, whether it’s us or another provider, move the risk. We’re here to take that risk, that’s all we do, that’s all our competitors do. Let you carry on with your business. Trying to make your environment compliant and keeping data in-house and keeping current data in-house is a continual headache, and a continual risk. The reputational damage of card theft, as you see from the press every day, is horrendous. You just don’t want to go that way.