Contact centres play a crucial role in presenting an organization in a professional and trustworthy way. This not only comes across in how agents or customer service representatives (CSRs) communicate, but also the tools they use in their day-to-day role.
No matter what channel they use to talk to customers, it’s important that agents are able to securely process card payments over the phone, web chat, email or a support ticket. However, asking customers to read out their card details over the phone or type into customer communications tools (like a web chat service), places their sensitive cardholder data (CHD) at risk of fraud and data breaches from eavesdroppers, call recordings, compromised software and other cyberattacks.
Organization’s can spend on average $3.86 million recovering from a data breach, according to Ponemon Institute’s Cost of a Data Breach Report 2020, with long-term reputational damage and the risk of it happening again once a vulnerability has been discovered.
The Payment Card Industry Data Security Standard (or PCI DSS) is a widely recognized industry standard that outlines how organizations can process payments in a highly secure way, assessing all areas of risk within your corporate network.
The security standard started in December 15, 2004 by Visa, Mastercard, American Express, Discover and JCB who formed the Payment Card Industry Security Council (PCI SSC) in 2006 to manage the ongoing evolution of the Payment Card Industry (PCI).
If your organization accepts, processes, stores or transmits card payments, the chances are you’ve heard of the Payment Card Industry Data Security Standard (or PCI DSS as it is commonly known).
But what is PCI DSS?
It’s your responsibility to ensure that your customers’ payment data, such as sensitive card numbers and other forms of “Sensitive Authentication Data” (SAD) are safeguarded, free from exposure from contact centre agents, fraudulent attacks (internal and external) and other security breaches.
By achieving PCI compliance and adhering to the comprehensive requirements of PCI DSS your organization can be confident that you are improving the safety of your customer’s data and the way payments are processed.
The PCI Security Standards Council’s Quick Reference Guide says, “The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in, or connected, to cardholder data.”
Understanding what it means to be “in-scope” is a vital step for efficiently removing the risk from within the contact centre environment. Any person, system or piece of technology that has the ability to access sensitive cardholder information is at risk of a breach if not secured correctly.
In the contact centre environment, this could include:
- Call centre staff, including agents and Customer service representatives (CSRs)
- Laptop, PCs or any devices used by agents – provided by the company or if they’re using their own to connect to the corporate network
- Telephony systems (Regardless of technology – Analogue, IP PBX, Cloud-based or on-site)
- Call recording systems – including any Pause and Resume solutions (manual or automated)
- IT networks that are used to process, transmit or store payment details
- Network connections to the contact centre – including the connections from agents or CSR’s working from home or other remote locations
- Databases or file storage locations (could be a complex SQL database, or a simple Excel)
- Third-Party systems used to manage customer details, talk to customers or capture payment information
The bottom line is, anything used to take payments are all in-scope for compliance and should be reviewed as part of the 12 PCI-DSS requirements.
There are a number of measures an organization could consider for their contact centre environment, to help achieve PCI-DSS compliance. These include a “clean room”, where agents have no access to personal belongings, or any way of recording the payment details they hear. You can also increase security and monitoring to high-risk areas that are storing the payment information, reducing the risk of unauthorized access.
The most effective way to achieve PCI-DSS compliance is to stop card data from entering the corporate network altogether. If the details are never transmitted or stored in the first place, they cannot be stolen or used maliciously.
By working with a Payment Services Provider, like Key IVR, we can help “descope” your contact centre environment.
We connect to your gateway or acquirer to help process payments securely over the phone, webchat, email or via a support ticket. The sensitive cardholder data is processed securely on your behalf to PCI-DSS Level 1, and no payment details ever reach your network, devices or contact centre agents.
We provide live dashboards that show non-sensitive information, allowing agents to stay in conversation and follow along with the customer as they are making a payment – with the ability to assist if there’s an issue.
Our services work with all telephony services (analogue, IP PBX or VoIP based) and we integrate with all major gateway providers.
Although PCI DSS is not a legal requirement, it is mandatory if your organization wishes to process transactions with the major card schemes. Here are some of the potential drawbacks and penalties that could occur if you do not maintain PCI compliance:
- Fines and penalties ranging from £3,000 (approx $4100) to £6,000 (approx $8,300)
- Lost confidence, so customers go to other merchants
- Diminished sales
- Cost of reissuing new payment cards
- Data breaches and fraud losses
- Legal costs, settlements and judgments
- Termination of ability to accept payment cards
- Lost jobs (CISO, CIO, CEO and dependent professional positions)
- Going out of business
- Higher subsequent costs of compliance
If you experience a data breach as a result of non-compliance with PCI-DSS, you could also face investigation from the Information Commissioners Office (ICO) around your organization’s compliance with the General Data Protection Regulation (GDPR), which has the possibility of resulting in huge fines from up to €20m or 4% of turnover, whichever is greater.
As agents talk to customers over the phone, they can ask the customer to enter their card details using their telephone keypad rather than say them out loud. DTMF masking (often called DTMF suppression) replaces the tones or converts the two pitches into a single flat tone to ensure they cannot be decrypted by a hacker or from within the organization network. This helps organizations obtain PCI compliance whilst continuing to take payments over the phone and record their calls.
The process is handled by our Agent Assisted Payment service powered by our PCI-DSS Level 1 certified payment platform. No sensitive card details reach your corporate network and your contact centre and agents stay completely out of scope, drastically reducing the risk of card fraud for your organisation.
Let us help you reduce serious security risks within your contact centre with our PCI-DSS compliant services. We work with you to design a solution that tackles your individual business challenges.