Established by the Payment Card Industry Security Standards Council (PCI SSC), the PCI DSS is a set of requirements for securing payment transactions and protecting cardholders against misuse of their personal information. Non compliance with the requirements can mean significant fines and the loss of the privilege of accepting payment cards. You can learn more about the PCI DSS here.
The PCI DSS applies to any entity that stores, processes, or transmits cardholder data. Even though the PCI SSC defines multiple levels of merchants & service providers, the requirements remain the same for all merchants and service providers.
There are, however, specific reporting requirements dependent on merchant level. Onsite assessment by a Qualified Security Assessor (QSA) is required for level 1 merchants and self assessment via the Self-Assessment Questionnaires (SAQ) is required for merchant levels 2-4.
As the number of digital transactions grows everyday, so does the amount of fraud. The risk for merchants to suffer a data breach has never been greater, and the consequences of suffering one can be far reaching, resulting in monetary penalties and more often than not, irreparable damage to brand reputation.
While compliance with the PCI DSS does not ensure protection against a data breach, taking the steps outlined in the standard can greatly help to reduce the risk of one. Not to mention that non compliance can result in fines imposed by the major credit providers.
In addition to the twelve high level requirements the PCI SSC outlines in the Data Security Standard, there are numerous subrequirements, and potentially hundreds of controls to apply. Simply put, the PCI DSS considers any person, system, or piece of technology that touches payment information as “in-scope.” In the context of a contact centre that takes payments, this means that all customer service representatives (CSRs), telephony equipment, IT infrastructure, software, even security cameras will be in scope for compliance.
To minimise the scope of the compliance project and reduce the amount of applicable PCI controls that must be implemented, organisations must decrease the amount of systems and infrastructure that comes in contact with cardholder data. Learn more about descoping in the video to the left.
When customers provide payment information to your contact centre agents, who then enter the data into their desktop application, PCI DSS compliance may involve many complex checks and controls. In fact, you may have to apply over 400 controls to the desktop and the network on which it operates. Other key security considerations include:
These measures are time-consuming, costly and detrimental to the call centre’s working environment.
One of the biggest challenges with PCI DSS compliance involves call recordings, as many call centres record calls for regulatory compliance, quality assurance or legal reasons. Unfortunately, the PCI DSS prohibits the recording of some aspects of telephone payments. To avoid noncompliance and fines, call centres traditionally rely on three methods when taking payments via phone. However, these methods present several downfalls:
Automated interactive voice recognition (IVR) payment solutions:
Using voice recognition or keypad entry, these systems allow call centres to take payments without recording card details. However, customers often do not know how to correct miskeyed information and are likely to hang up the phone at the first sign of difficulty. This means they end up giving their payment details to an agent rather than a machine, thus exposing the agent to sensitive information. IVR systems can also increase average handling time (AHT) and reduce first contact resolution (FCR), which both negatively impact the customer journey and can increase call centre costs.
“Pause and resume” call recording solutions:
Pausing the call recording the moment a payment is taken is often a suggested way for call centres to comply with the PCI DSS. However, both the agent and the desktop computer in use are still within scope for PCI DSS – the agent hears and inputs the information, which passes through the network infrastructure. In addition, pause and resume solutions are prone to failure, especially if they are manually operated by an agent who may forget to pause the recording and accidentally log sensitive data.
Call recording encryption solutions:
Many organisations believe that encrypting their call recordings will manage the risks of storing sensitive card data. However, PCI DSS explicitly prohibits the storing of SAD (including CVC2 and CVV2 security codes), which should not be stored under any circumstances, even if encrypted.
The most effective way to protect customer data, comply with the PCI DSS and minimise the ongoing cost of securing your infrastructure is to prevent sensitive payment information from entering your call centre environment in the first place.
With Semafone’s Cardprotect, you can eliminate inefficient compliance efforts and call recording measures by descoping the call centre (or, reducing the number of required applicable controls). Cardprotect removes sensitive data from the business infrastructure, dramatically reducing PCI DSS compliance costs and risks associated with fraud and allowing your enterprise to focus on business as usual.
Semafone offers a patented technology to achieve this: removing the agent, their desktop and the wider IT and telephony systems from any contact with card data.
In the UK, the Financial Conduct Authority (FCA) requires financial firms, including brokers, banks and investment managers to record complete phone conversations. The FCA deems that full recordings are useful across all sectors to assuage transaction disputes and ensure that customers are treated fairly, consistently and are given the correct information and advice. However, this causes problems for financial services call centres. Although they must record calls to meet the FCA’s requirements, they cannot record or store Sensitive Authentication Data (SAD) to comply with the PCI DSS.
Semafone’s Cardprotect allows call centres to meet both requirements, as its dual tone multi frequency (DTMF) masking solutions blocks payment card information from call recordings. Financial services call centres can still record full conversations, without worrying about logging sensitive data, which is kept completely out of the call centre environment.