In 2006, five major credit card companies established the Payment Card Industry Data Security Standard (PCI DSS) to protect consumers against fraud, identity theft, and other illegal uses of cardholder data. Failure to meet these standards today can lead to lawsuits, fines, and reputational damage. That’s why it's vital that you ensure call center PCI compliance.
With a growing number of leaders embracing an omnichannel call center approach to customer service, interaction numbers are increasing. While this can boost CX and make for happier customers, it also presents a compliance challenge. Additional information pouring in—particularly payment details—increases the risk of cyberattacks and data breaches.
To minimize such risk for your call center, you must take the correct steps to help ensure PCI compliance.
PCI DSS is a minimum level of security that a business must meet when processing, storing, or transmitting credit card information. It requires an organization to protect customers by establishing a secure environment for payment details.
Many contact center processes require customers to share sensitive credit card information, like account numbers, CCV codes, and expiration dates, over the phone. As a result, call centers must maintain PCI compliance in order to protect customers and their personal data.
Everyone involved in the cardholder data environment (CDE), from customer service reps to IT support teams, must be PCI compliant. For a contact center, this includes all staff, technologies, and systems involved in storing, processing, or transmitting credit card data. To keep your CDE environment secure, you need to cover all your bases.
For a call center, the benefits of PCI compliance are far-reaching. Not only does it help avoid fines and lawsuits, but it also improves brand image, decreases the risk of compliance breaches, and, in some cases, even increases sales.
With the average cost of a data breach in 2023 coming to an eye-watering $4.45 million, safeguarding your data could be a company-saving move. All the security measures required to ensure regulatory adherence greatly limit the risk of a breach and, thanks to encryption, render much of the compromised information useless.
Compliance tools are designed to protect customer data. Encrypted transmissions, role-based access, network segmentation, and more all serve to reduce the chances of a leak. If you’re deleting data once it's no longer needed and limiting collection to what is essential, you’re simplifying the process and protecting customers.
Awareness around privacy and data security is growing. When customers know that you’re taking data protection seriously, they’re more likely to trust your brand. Furthermore, existing customers spend 67 percent more than new ones, so if you can build trust and establish loyal, long-term customers, you won’t only improve brand image, you’ll boost revenue.
If your organization is found in violation of PCI compliance rules, you could face financial penalties of between $5,000 and $10,000 per month. Even if no breach occurs, you can still be fined for non-compliance. Given that PCI DSS adherence is a legal requirement in many jurisdictions, staying compliant is necessary to avoid financial and legal repercussions.
All of the factors above—security, trust, protection—feed into your overall brand image, instilling confidence in consumers. If a customer trusts your organization to do the right thing, it’s likely that they’ll spread the word and bring in new prospects. In fact, when customers feel appreciated, 87 percent will recommend the brand to friends and family.
Essentially, the opposite of the benefits outlined above. You may face lawsuits and fines, customers will lose faith in you, and your brand reputation will take a big hit, limiting future business opportunities.
As an example, Morgan Stanley paid $60 million to resolve a data security lawsuit concerning the company’s alleged failure to protect clients’ personally identifiable information. For small or medium businesses, legal fees, fines, and reimbursements could prove overwhelming and result in closure.
Non-compliance can have long-term consequences for your organization beyond fines and payments. In severe cases, your banking vendor may increase fees or even terminate the relationship. In security terms, hackers may take non-compliance as a sign of weakness and target organizations as a result.
A rigorous, ongoing assessment of security measures is essential to ensure PCI compliance in your call center. By following the steps below, you can maintain the high standards necessary to meet PCI DSS requirements.
To ensure PCI compliance in your call center, you must develop a strong understanding of PCI DSS requirements and how each one relates to the specifics of your organization. A risk assessment of your organization can give you a sense of your most pressing issues.
At the time of publication, there are 12 requirements relating to different goals. These goals primarily concern building and maintaining secure networks, protecting cardholder data, and ensuring that everyone involved in the process has sufficient awareness and training.
Following the 12 requirements, you’ll find best practices for achieving these goals, from technical solutions like firewalls and encryption to common sense approaches like strong password management and data access restriction.
If you’re handling credit card details in your contact center, you need to establish documentation that covers PCI compliance. Adherence involves everyone, so you need to provide guidance on both personal and technical requirements, including:
These are just a few examples, and the exact features will vary depending on the specifics of your contact center. Whatever is included, a comprehensive policy will make everyone involved aware of their obligations and how to meet them.
PCI requirements can serve as guidelines for policymakers. For example, it’s required that you “assign a unique ID to each person with computer access”. By including this in your policy document, you can ensure that the IT department follows this rule.
Responsibility for drafting policy is shared and will involve input from senior management, legal and HR departments, the IT department, and possibly more, depending on the scope of the policy. Review documentation annually and be mindful of changes to both your operations and PCI requirements, as either of these may necessitate changes to the policy.
Protecting your computer network from theft or damage is an essential aspect of maintaining PCI compliance. There are several things you can do to ensure network security and protect sensitive customer data.
An effective firewall and router will prevent traffic from unsafe hosts and networks. This minimizes the risk of a hack while still allowing for safe communication. Don’t forget to update firewall settings every six months, and never use the vendor’s default settings, as hackers are familiar with the defaults and will find them easier to break through.
You can also use a method called network segmentation to strengthen security. With this approach, you divide cardholder data into separate networks, each with different levels of access and permissions. This way, you reduce the scope of PCI, as cardholder data only ever enters a limited number of networks.
Data security is essential to PCI compliance. This includes both cardholder data (account number, expiration date) and sensitive authentication data (PIN, CVV). There are several techniques and tools you can employ to digitally secure this information, including encryption, tokenization, and key management.
PCI DSS requirements state that you must “encrypt transmission of cardholder data across open, public networks.” While businesses may not store CVV codes, they are permitted to store name, account name, expiry date, etc., as long as they meet encryption and key management conditions.
You should also make sure that card numbers aren’t shared via end-user messaging services like email, SMS, or instant messaging and ensure that the company storing the cardholder data doesn’t also have a key to access it.
With tokenization, another data security technique, you can replace sensitive information with a placeholder (token), minimizing the risk and virtually eliminating the chances of data theft. The sensitive data is stored in a secure cloud and, in the event of a breach, hackers can only access the worthless tokens.
Other best practices include requiring multi-factor authentication to access cardholder data and deletion of information when it is no longer needed. Additionally, it’s beneficial to have an authorization process in place to render data completely unrecoverable.
It’s simple. The fewer people have access to sensitive information, the lower the chances of that information being exposed.
By taking a role-based approach to security, you can configure permissions so that employees can only access the information they need to do their jobs. For example, you may permit a supervisor to view data for their assigned team but not for other teams in the call center.
This need-to-know approach can also be translated to your physical workplace. You might consider limiting the points where on-site staff come into contact with customer data. For example, you could restrict access to sensitive information to specific workstations or even conduct security checks upon entering and exiting the building.
To manage payment recording without compromising the customer’s data privacy, most contact centers use a ‘pause and resume’, or ‘mute’ and ‘unmute’ approach. This way, no sensitive data like account numbers or security codes is recorded in the call logs.
With this technique, agents have a way to disable recording in accordance with PCI compliance standards. This can be done manually, with the agent physically pausing the recording, but it’s better to automate the process if possible. Many CRM systems automatically mute call recording at the appropriate moment.
Dual-tone multi-frequency signaling (DTMF) is a standard call center tool. Customers enter card details via their keypad, rather than verbally, and DTMF suppression removes or masks the different tones associated with each key by replacing them all with random or flat tones. This way, nobody can decipher the details based on their understanding of the tones.
By using DTMF call center technology, either on-site or in the cloud, you can remove workstations and Voice over Internet Protocol (VoIP) from your PCI scope without impacting customer experience. Recording functions continue running, and agents stay on the line with clients without compromising privacy.
New technologies have opened up additional avenues for customer communications and, as a result, extra compliance concerns. However, there are plenty of PCI-compliant solutions available to support data security in the call center.
IVR is a popular contact center tool used to manage customer calls and handle payments in a PCI-compliant manner and, with 59 percent of customers still preferring phone calls, it can play a significant security role. By removing agents from the payment process and incorporating encryption, authorization, and permissions, IVR eliminates the possibility of human error or malpractice.
VoIP, technology that enables voice calls over the internet, also falls under the scope of PCI DSS. Internal transmissions, external transmissions with service providers and payment processors, and external transmissions to or from cardholders all occur using VoIP, so it’s important to limit risk with network segmentation.
P2PE is a way to ensure that your business never actually touches cardholder data during the payment process, significantly limiting risk. P2PE encrypts the data as soon as it's collected, then transfers the encrypted data to the payment processor, where it is unlocked with a secure key. Your company never receives the data, so there’s no chance of it getting compromised.
Secure payment gateways, such as those offered by PayPal, Apple Pay, and Google Pay, can be implemented to alleviate much of the burden of PCI responsibility. With these payment gateways handling collection, authorization, and transfer of customer data to businesses in real-time, you have an extra layer of protection. If a breach does occur, these organizations have established processes in place to minimize the impact on customers.
Scorecards are a call center quality assurance tool that can support PCI compliance. While scorecards are often used in call centers to measure and track agent performance, you can also customize them to specifically focus on adherence. In doing so, you can establish an audit trail, track compliance pass/fail rates for employees, and issue automatic alerts in the event of a breach.
In addition to broader compliance strategies and the implementation of tech solutions, there are a number of steps you can take to ensure that your agents are following security best practices in their day-to-day work.
Where possible, take time to reinforce the basics. Remind employees to lock their computer or log out when leaving a workstation, to be aware of their surroundings, and to frequently change their passwords using a mix of numbers and lower- and upper-case characters.
It’s also a good idea to ban the use of pen and paper in order to eliminate physical data storage. Whiteboards are a better substitute as long as you implement rules. For example, the whiteboard must stay in one location and be cleaned at regular intervals.
Banning or limiting access to mobile devices in the call center is advisable, as these devices are potential targets for malware, such as hackers listening in on calls. This way, you are eliminating the potential for sensitive information to be leaked onto a personal device.
To comply with PCI DSS requirements, you must keep an activity log, tracking every time your company processes a payment or interacts with cardholder data in any way. This means implementing call center audit trails for all CDE system components.
If, at any point, your call center is directly exposed to credit card data, you must be able to demonstrate evidence of the measures you took to protect this data. This includes firewalls, agent training, network segmentation, and more.
While keeping certain information on file to facilitate business is necessary, you can also use compliance audits as an opportunity to map your systems and determine which data is absolutely necessary to retain and what can be removed from your network.
95 percent of cybersecurity issues can be traced back to human error. So training your agents to adhere to PCI DSS standards is essential to maintain compliance in your contact center.
Make this security training a part of your regular call center agent training process, as well as onboarding, and familiarize everyone with their individual responsibilities. This means refresher courses, updated courses in the event of new policies, and even targeted coaching for those who displayed potentially risky behaviors.
Security awareness training isn’t just a suggestion, it’s a necessity. By investing in training right from the start, you’ll save money in the long run by minimizing the risk of non-compliance in the future.
PCI compliance is essential for any contact center that processes cardholder data. If you fail to comply, it can lead to severe consequences—legal, financial, and reputational. On top of lawsuits and fines, nobody wants to do business with an organization they can’t trust.
Thankfully, if you follow PCI DSS guidelines and adhere to security best practices, you can protect your consumers and your call center at the same time. From drafting policy to implementing technical solutions, there are multiple ways to ensure PCI compliance.
Scorebuddy integrates with your existing infrastructure to help mitigate risk with a customizable scorecard builder, comprehensive business intelligence, and an integrated learning management system to support agent training.
Get your free 14-day trial now and see how Scorebuddy can bolster your security.
Deriv is a customer-focused fintech dedicated to offering accessible trading solutions to people all over the world.
Scorebuddy BI helps their QA Process.