PCI DSS (payment card industry data security standard) is a set of standards designed to ensure that any company which processes, stores or transmits credit card information does so securely. If you ever handle any credit or debit card payments over the phone in your contact center then PCI DSS applies to you, regardless of how small the volume of such payments may be. Additionally, if you record your customers’ calls then those call recordings have to be PCI compliant too.
At its heart PCI DSS is about protecting your customers from credit/debit card fraud. Not only that, it makes good business sense too. Our recent research showed that consumers are very concerned about payment card security in contact centers and a sizeable number prefer not to do business with companies that require them to hand over their card details over the phone. Recent well-publicised cases of contact center-based fraud, such as those at Target and Home Depot show the level of reputational damage and costs that can occur when such breaches happen. Situations like this have a direct and immediate impact on the bottom line – and customer trust, once broken, can be very hard to re-establish. So what are your options, in terms of ensuring PCI compliance?
There are three main options available on the market:
- Automatic ‘pause and resume’ systems. Such systems automatically pause the call recording at the point at which the agent moves through to the payment screen on their system, then resume the recording once payment has been taken. However this approach still leaves you vulnerable to contact center fraud. Although the caller’s card details are not included in the call recording, the agent handling the transaction (and their network/PC etc.) is still exposed to them. As part of the call isn’t recorded you have no idea what might have happened during that time. And for financial organizations regulated by the FCS, or those wanting full-length recordings for quality control purposes, truncated recordings may not be appropriate anyway.
- Automatic ‘mute and unmute’ systems. These operate along similar lines to the ‘pause and resume’ systems but go one step further and actually mute the agent and caller audio within the recorder while the card payment is being taken. Unlike in the ‘pause and resume’ systems, the recording isn’t stopped at any point but anyone listening back later would hear only silence during the period where the caller was giving their card details. Again, the risk here is that the agent is still exposed to the card details.
- ‘Keypad payment by phone’ technology. At Syntec we’re advocates of switching to keypad payment by phone technology. Using this approach the agent asks the customer to enter their sensitive card details (PAN & CV2) using their telephone keypad rather than saying them out loud to the agent. The system masks the DTMF touchtones (and thus the card details) from the agent and also the call recording. The agent is thus not exposed to the card details, they are not included in call recordings and therefore your contact center is effectively de-scoped as far as PCI compliance is concerned (including the whole environment e.g. PCs, network etc., as the data does not enter the call center environment at all) . Another benefit of this approach is that at no point is the agent cut off from the caller. The agent remains in conversation with the caller throughout even whilst they are entering their card details. The card information is then passed electronically to your payment services provider for authorization without ever entering your contact center or being included in the call recording.
PCI DSS compliance is important for the reasons that I’ve already discussed, but there’s more to contact center security than just selecting one of the systems above and implementing it. Security considerations are a vital part of contact center operations and a secure approach to business should be at the heart of everything you do. In any system it’s the people who tend to be the weakest link so you need to think carefully about how to implement proper security protocols in all the points at which your staff could come into contact with sensitive customer data.
- Physically limit access to customer and payment data, for example by restricting access to certain areas of your buildings only to those who need to be there.
- Enforce a system of strong access passwords which should be regularly changed.
- Ensure that contact center operatives are only able to access the information they need in order to do their jobs and no more. Use a contact center management system that allows for role-based logins so that agents and supervisors have access to different levels of information.
- Think about the different ways in which sensitive data could get out and how such leaks could be prevented. For example you might consider going paperless in your contact center – swapping pens and paper for non-removable whiteboards makes it much harder for an agent to write sensitive information down – or you could ban mobile phones in your contact center, thus limiting the chances that they could be used to leak sensitive data. However, in terms of PCI DSS security such ‘clean-rooming’ as it’s called is not necessary if you use ‘keypad payment by phone’ technology such as the Syntec CardEasy system, as agents can no longer see or hear the credit card numbers anyway.