Menu

What is PCI DSS?

Established by the Payment Card Industry Security Standards Council (PCI SSC), the PCI DSS is a set of requirements for securing payment transactions and protecting cardholders against misuse of their personal information. Non compliance with the requirements can mean significant fines and the loss of the privilege of accepting payment cards. You can learn more about the PCI DSS here.


semafone

Who Must Comply?

The PCI DSS applies to any entity that stores, processes, or transmits cardholder data. Even though the PCI SSC defines multiple levels of merchants & service providers, the requirements remain the same for all merchants and service providers.

There are, however, specific reporting requirements dependent on merchant level. Onsite assessment by a Qualified Security Assessor (QSA) is required for level 1 merchants and self assessment via the Self-Assessment Questionnaires (SAQ) is required for merchant levels 2-4.

Why Comply?

As the number of digital transactions grows everyday, so does the amount of fraud. The risk for merchants to suffer a data breach has never been greater, and the consequences of suffering one can be far reaching, resulting in monetary penalties and more often than not, irreparable damage to brand reputation.

While compliance with the PCI DSS does not ensure protection against a data breach, taking the steps outlined in the standard can greatly help to reduce the risk of one. Not to mention that non compliance can result in fines imposed by the major credit providers.


semafone

What is Descoping?

In addition to the twelve high level requirements the PCI SSC outlines in the Data Security Standard, there are numerous subrequirements, and potentially hundreds of controls to apply. Simply put, the PCI DSS considers any person, system, or piece of technology that touches payment information as “in-scope.” In the context of a contact centre that takes payments, this means that all customer service representatives (CSRs), telephony equipment, IT infrastructure, software, even security cameras will be in scope for compliance.

To minimise the scope of the compliance project and reduce the amount of applicable PCI controls that must be implemented, organisations must decrease the amount of systems and infrastructure that comes in contact with cardholder data. Learn more about descoping in the video to the left.

PCI DSS Compliance for Call Centres

When customers provide payment information to your contact centre agents, who then enter the data into their desktop application, PCI DSS compliance may involve many complex checks and controls. In fact, you may have to apply over 400 controls to the desktop and the network on which it operates. Other key security considerations include:

  • Ensuring Sensitive Authentication Data (SAD) is not stored on call recordings
  • Minimising the risk of a security breach by vetting new agents with the Criminal Records Bureau
  • Making sure data cannot be illicitly collected by any means; traditionally achieved by using “clean rooms”, prohibiting pens, paper and cell phones from agents’ work stations

These measures are time-consuming, costly and detrimental to the call centre’s working environment.

Call Recording Compliance Challenges

One of the biggest challenges with PCI DSS compliance involves call recordings, as many call centres record calls for regulatory compliance, quality assurance or legal reasons. Unfortunately, the PCI DSS prohibits the recording of some aspects of telephone payments. To avoid noncompliance and fines,  call centres traditionally rely on three methods when taking payments via phone. However, these methods present several downfalls:

Automated interactive voice recognition (IVR) payment solutions:

Using voice recognition or keypad entry, these systems allow call centres to take payments without recording card details. However, customers often do not know how to correct miskeyed information and are likely to hang up the phone at the first sign of difficulty. This means they end up giving their payment details to an agent rather than a machine, thus exposing the agent to sensitive information. IVR systems can also increase average handling time (AHT) and reduce first contact resolution (FCR), which both negatively impact the customer journey and can increase call centre costs.

“Pause and resume” call recording solutions:

Pausing the call recording the moment a payment is taken is often a suggested way for call centres to comply with the PCI DSS. However, both the agent and the desktop computer in use are still within scope for PCI DSS – the agent hears and inputs the information, which passes through the network infrastructure. In addition, pause and resume solutions are prone to failure, especially if they are manually operated by an agent who may forget to pause the recording and accidentally log sensitive data.

Call recording encryption solutions:

Many organisations believe that encrypting their call recordings will manage the risks of storing sensitive card data. However, PCI DSS explicitly prohibits the storing of SAD (including CVC2 and CVV2 security codes), which should not be stored under any circumstances, even if encrypted.


semafone

How Semafone Solves PCI DSS Challenges

The most effective way to protect customer data, comply with the PCI DSS and minimise the ongoing cost of securing your infrastructure is to prevent sensitive payment information from entering your call centre environment in the first place.

With Semafone’s Cardprotect, you can eliminate inefficient compliance efforts and call recording measures by descoping the call centre (or, reducing the number of required applicable controls). Cardprotect removes sensitive data from the business infrastructure, dramatically reducing PCI DSS compliance costs and risks associated with fraud and allowing your enterprise to focus on business as usual.

Semafone is alone in offering patented technology to achieve this: removing the agent, their desktop and the wider IT and telephony systems from any contact with card data.

Learn More


semafone

PCI DSS and Compliance with the FCA

In the UK, the Financial Conduct Authority (FCA) requires financial firms, including brokers, banks and investment managers to record complete phone conversations. The FCA deems that full recordings are useful across all sectors to assuage transaction disputes and ensure that customers are treated fairly, consistently and are given the correct information and advice. However, this causes problems for financial services call centres. Although they must record calls to meet the FCA’s requirements, they cannot record or store Sensitive Authentication Data (SAD) to comply with the PCI DSS.

Semafone’s Cardprotect allows call centres to meet both requirements, as its dual tone multi frequency (DTMF) masking solutions blocks payment card information from call recordings. Financial services call centres can still record full conversations, without worrying about logging sensitive data, which is kept completely out of the call centre environment.

 

 

Please select your location