What is PCI DSS?

Established by the Payment Card Industry Security Standards Council (PCI SSC), the PCI DSS is a set of requirements for securing payment transactions and protecting cardholders against misuse of their personal information. Non compliance with the requirements can mean significant fines and the loss of the privilege of accepting payment cards. You can learn more about the PCI DSS here.


Who Must Comply?

The PCI DSS applies to any entity that stores, processes, or transmits cardholder data. Even though the PCI SSC defines multiple levels of merchants & service providers, the requirements remain the same for all merchants and service providers.

There are, however, specific reporting requirements dependent on merchant level. Onsite assessment by a Qualified Security Assessor (QSA) is required for level 1 merchants and self assessment via the Self-Assessment Questionnaires (SAQ) is required for merchant levels 2-4.

Why Comply?

As the number of digital transactions grows everyday, so does the amount of fraud. The risk for merchants to suffer a data breach has never been greater, and the consequences of suffering one can be far reaching, resulting in monetary penalties and more often than not, irreparable damage to brand reputation.

While compliance with the PCI DSS does not ensure protection against a data breach, taking the steps outlined in the standard can greatly help to reduce the risk of one. Not to mention that non compliance can result in fines imposed by the major credit providers.


What is Descoping?

In addition to the twelve high level requirements the PCI SSC outlines in the Data Security Standard, there are numerous subrequirements, and potentially hundreds of controls to apply. Simply put, the PCI DSS considers any person, system, or piece of technology that touches payment information as “in-scope.” In the context of a contact center that takes payments, this means that all customer service representatives (CSRs), telephony equipment, IT infrastructure, software, even security cameras will be in scope for compliance.

To minimize the scope of the compliance project and reduce the amount of applicable PCI controls that must be implemented, organizations must decrease the amount of systems and infrastructure that comes in contact with cardholder data. Learn more about descoping in the video to the left.

PCI DSS Compliance for Call Centers

When customers provide payment information to your contact center agents, who then enter the data into their desktop application, PCI DSS compliance may involve many complex checks and controls. In fact, you may have to apply over 400 controls to the desktop and the network on which it operates. Other key security considerations include:

  • Ensuring Sensitive Authentication Data (SAD) is not stored on call recordings
  • Minimizing the risk of a security breach by vetting new agents with the Criminal Records Bureau
  • Making sure data cannot be illicitly collected by any means; traditionally achieved by using “clean rooms,” prohibiting pens, paper and cell phones from agents’ work stations

These measures are time-consuming, costly and detrimental to the call center’s working environment.

Call Recording Compliance Challenges

One of the biggest challenges with PCI DSS compliance involves call recordings, as many call centers record calls for regulatory compliance, quality assurance or legal reasons. Unfortunately, the PCI DSS prohibits the recording of some aspects of telephone payments. To avoid noncompliance and fines,  call centers traditionally rely on three methods when taking payments via phone. However, these methods present several downfalls:

Automated interactive voice recognition (IVR) payment solutions:

Using voice recognition or keypad entry, these systems allow call centers to take payments without recording card details. However, customers often do not know how to correct miskeyed information and are likely to hang up the phone at the first sign of difficulty. This means they end up giving their payment details to an agent rather than a machine, thus exposing the agent to sensitive information. IVR systems can also increase average handling time (AHT) and reduce first contact resolution (FCR), which both negatively impact the customer journey and can increase contact center costs.

“Pause and resume” call recording solutions:

Pausing the call recording the moment a payment is taken is often a suggested way for call centers to comply with the PCI DSS. However, both the agent and the desktop computer in use are still within scope for PCI DSS – the agent hears and inputs the information, which passes through the network infrastructure. In addition, pause and resume solutions are prone to failure, especially if they are manually operated by an agent who may forget to pause the recording and accidentally log sensitive data.

Call recording encryption solutions:

Many organizations believe that encrypting their call recordings will manage the risks of storing sensitive card data. However, PCI DSS explicitly prohibits the storing of SAD (including CVC2 and CVV2 security codes), which should not be stored under any circumstances, even if encrypted.


How Semafone Solves PCI DSS Challenges

The most effective way to protect customer data, comply with the PCI DSS and minimize the ongoing cost of securing your infrastructure is to prevent sensitive payment information from entering your call center environment in the first place.

With Semafone’s Cardprotect, you can eliminate inefficient compliance efforts and call recording measures by descoping the call center (or, reducing the number of required applicable controls). Cardprotect removes sensitive data from the business infrastructure, dramatically reducing PCI DSS compliance costs and risks associated with fraud and allowing your enterprise to focus on business as usual.

Semafone offers a patented technology to achieve this: removing the agent, their desktop and the wider IT and telephony systems from any contact with card data.

Learn More