How does PCI DSS affect Call Centres?
In today’s hyper-connected world, consumers are becoming more and more discerning and demanding
in the way they interact with businesses. Merchants are chasing the holy grail of omni-channel; providing a
seamless customer experience has become paramount. With the highly publicised breaches in the
past year, individuals are even more aware of the need to protect their personal information.
With the majority of call centres handling personal customer data including payment card information, merchants must now take necessary steps to prevent this data from getting into the wrong hands.
PCI compliance is not just about securing your systems and encrypting your data. In many ways, those are the easy parts. Where your systems and data come into contact with humans is the real weak point. In a complex operational environment, where hundreds of people might be coming and going every day, watertight security procedures are absolutely essential.
Card payment fraud in the news
- The BBC reported that Sony Computer Entertainment Europe Limited received a monetary penalty of £250,000 from the Information Commissioner’s Office (ICO) after compromising the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk (2013).
- The New York Times reported breaches at Target, confirming that payment data was stolen from customers who shopped in its stores in the United States (2013)
- The Sunday Times exposed the trade in stolen personal data from Indian contact centres, data entry services, IT support helpdesks and hosting services 
Cross-industry security, regulations and directives
The schemes recognise the need for a cross-industry, joined-up card payment security system. They also
realise that PCI does not exist in a vacuum; there are other measures, regulations and directives with
corresponding impacts including the Information Commissioner’s Office (ICO), Financial Ombudsman
Service (FOS), International Standards Organisation (ISO), Financial Conduct Authority (FCA), Dodd-Frank
reforms, Sarbanes-Oxley, the UK Data Protection Act and EU Data Protection Regulations. The take up of PCI DSS compliance is only as fast or slow as the largest and smallest merchants and agents adopting it. Merchants
include any organisations taking card payments using inhouse call centres, homeworkers, outsourced call centres or outsourced IT providers. More and more merchants have been asking what needs to be done to become PCI.
PCI DSS recommendations
- It is a violation to store sensitive card data after authentication without proper protection including in call recordings, and in particular it is prohibited to store/record the CVV/CV2 number under any circumstances.
- Where it is necessary to record calls (for quality control or regulatory purposes), appropriate technology must be introduced to prevent the recording of sensitive elements.
- Personal Account Numbers (PANs, or the long card number) must not be held in a manner accessible to others and should be masked in part if/when displayed (e.g. last 4 numbers only).
- Encryption/Tokenisation should be used when storing or transmitting sensitive data. Unencrypted VoIP telephone systems must be avoided.
- Homeworkers should be tightly supervised to ensure that they are not receiving or storing sensitive client data in a manner which breaches the requirements - including writing client card details and authentication numbers down, or storing them on unencrypted or removable media such as USB sticks.
Is your contact centre struggling with the burden of PCI compliance?
Confusion over the requirements and future direction of the Payment Card Industry Data Security Standard (PCI DSS) has caused some U.K. organisations to shelve their efforts while they seek clarification.
Since all call centres record their transactions, the recordings present a potential security vulnerability if they include the customer reading out full credit card details over the phone, including the security code.
There are a variety of methods that companies could use to avoid problems. The most basic would be a ‘Pause and Resume’ solution that’s stops the recording while the customer reads out his or her three-digit security code, but this can be unreliable as most recording systems are out of the control of the individual agents.
A much more feasible approach would be to get the customer to key in their details on the telephone keypad, with the tones disguised on the recording. In this example, the agent just hears a flat tone, and also the customer can avoid reading out their card details in what might be a public place. This way, the merchant can remove this part of their business from the scope of PCI DSS.
For more information on how to ensure PCI Compliance in your contact centre contact Silver Lining today 0845 313 1111 / firstname.lastname@example.org
Share this on social media:
We support Fusion People with their IT and telecommunications. Watch how they made an annual saving of 40%.
Contact us today for help or advice on your IT & telecoms and receive a FREE Costa!
The player supports TAB to change the controls. Update Required<br/>To play the media you will need to either update your browser to a recent version or update your <a href='http://get.adobe.com/flashplayer/' target='_blank'>Flash plugin</a>.