In a recent post, we detailed what Payment Card Industry Data Security Standard (PCI DSS) compliance is and why it matters. Essentially, if your business accepts, processes, stores or transmits credit card information, you have to comply with the PCI DSS – a set of twelve requirements drawn up by the Payment Card Industry Security Standards Council (PCI SSC) – to ensure your customers’ transactions are secure. But what exactly falls within the PCI DSS scope? Could you be overlooking a critical IT area when it comes to ensuring your company’s compliance?
In this article, we will define what a PCI Zone is and what it covers; and how to ensure both your contact centre and business can avoid hefty fines and stay out of data breach headlines.
The PCI “Zone”
In the most basic terms, a PCI Zone is anything that is in scope for PCI DSS compliance. We have created a handy checklist to help your organization ensure best practices for achieving and maintaining PCI DSS compliance, but let’s take a closer look at what is categorized as “cardholder data,” and what areas of your business cardholder data may touch that can inadvertently get pulled into the PCI Zone.
Types of Cardholder Data and Where It Can Live
Cardholder data includes any personally identifiable information (PII) associated with a person who has a credit or debit card. This can include the primary account number (PAN), cardholder name, expiration date or security code (the three- or four-digit number on cards that use a magnetic-stripe); and security PINs. But here’s where it can get tricky: Not only does your business need to ensure proper security of that information during a typical transaction, it must secure ALL areas within the organization where that data can or might pass through.
There are many places within your organization – both obvious and not-so-obvious – where cardholder data may live, from your telephony network – including VOIP systems, voice recordings, recordings of interactive voice response (IVR)/dual-tone multi-frequency (DTMF) tones – to IT systems that store images, videos, free-form text databases that can contain PANs – to physical environments where hard copy data can be found. Even Bluetooth devices like headsets and keyboards need to be considered as well. In a nutshell, the more technologies that enter your business, the larger your PCI Zone grows. And if we take a look at a typical organization, the majority of these technologies – like IVR systems – and interactions requiring payment information can be found within the call and contact centre.
Why Contact Centres Are a Compliance Challenge
The contact centre is a hub for all types of customer information, and at any given time it may be processing personal contact information, health or medical records, social security numbers, driver’s license numbers, and of course payment card information. Because of this, contact centres may find themselves having to comply with a multitude of regulations that each have their own compliance requirements, depending on the type of data the company deals with.
For example, the Health Insurance Portability and Accountability Act (HIPAA) mandates data privacy and security provisions for health-related information and has stringent rules on how it can be processed, and applies it to every health insurer, hospital, medical centre, or other organization handling this type of data. In the higher education industry, The Family Educational Rights and Privacy Act (FERPA) is a federal law that maintains the privacy and security of student records and applies to virtually all institutions receiving federal funding.
The most wide-ranging standard – the PCI DSS – holds many provisions for how employees and agents handle and store payment card information, which makes it critically important to ensure proper training.
How to Shrink Your PCI Zone
To reduce the risk of fraud, achieve PCI DSS compliance and thus shrink your business’ overall PCI Zone, you need to put in place solutions and protocols to prevent cardholder data flowing through your call recordings, agents, desktops, IT systems, the physical environment and telephony network. And that’s where Semafone’s patented data capture technology, Cardprotect, can help. A proven and award-winning PCI DSS compliance solution that prevents payment card data from entering the contact centre in the first place, Cardprotect makes it possible for contact centres to achieve PCI DSS compliance while recording calls in their entirety.
Using dual-tone multi-frequency (DTMF) masking technology, instead of requiring a customer to read their credit card number aloud to a customer service representative (CSR), customers can simply enter their credit card number by inputting it into their telephone keypad. During this process, the incoming data is intercepted, and the CSR is presented with masked digits on their desktop in real time. Once the customer has input the numbers and the system has verified that the information is correct, it can then seamlessly pass the transaction data through to the payment service provider (PSP) for processing, bypassing the CSR, their desktop and even the telephony and customer information databases as they do so. This provides a way for companies to process sensitive information without it being handled directly by the contact centre – giving customers the peace of mind that their sensitive payment information is safe. The customer and CSR remain in constant verbal communication throughout the transaction, which greatly improves customer satisfaction and key call centre metrics — increasing first contact resolution (FCR), while reducing the number of abandoned calls and the average handling time (AHT).
DTMF masking is the only method that can keep payment card and other sensitive customer data completely out of the contact centre. This ultimately shrinks your organization’s PCI Zone, allowing for consistent compliance with the PCI DSS, while creating the best possible customer experience.
For more information on PCI DSS, visit: https://www.pcisecuritystandards.org/.