The aim of Payment Card Industry (PCI) Data Security Standards (DSS) in contact centers is to safeguard the security of customers’ phone-based card payments by ensuring that the sensitive card details are not stored, even in call recordings, and that staff do not have access to them unless strictly controlled and monitored.
The best way to achieve PCI DSS compliance is to stop the card numbers entering the contact center at all, to descope both your contact center and your call recordings from PCI DSS audit regulations. This means that the agent is not exposed to the sensitive card details during the process of taking payment, nor are these details captured in call recordings nor exposed in your network of PCs.
Why does PCI DSS compliance matter?
Data security breaches can be catastrophic for your organization. Just one instance can damage your reputation beyond repair and open you up to the possibility of law suits, insurance claims and lost customers from which it may take many years to recover – including from much higher fines for data breaches with the advent of GDPR data protection legislation in Europe.
Complying with PCI DSS means that your systems are secure and customers can trust you with their payments. Merchants and service providers are now required to certify to their acquiring banks that they are compliant.
The PCI Security Standard Council (PCI SSC) guidance on Network Segmentation concludes that ” Effective segmentation can greatly reduce the risk of CDE (Cardholder Data Environment) systems being impacted by security weaknesses or compromises originating from out of scope systems”.
But network segmentation is in addition to, rather than instead of, PCI DSS compliance. It is important to remember that the contact center environment is very much in scope if handling card payments and requires annual assessment or audit (depending on merchant level) against all the relevant PCI DSS controls, unless you take steps to de-scope this environment by stopping the card data entering the contact center in the first place.
PCI DSS requirements
- It is a violation to store sensitive card data after authentication without proper protection, including in call recordings – and in particular it is prohibited to store/record the CVV/CV2 number at all.
- Where it is necessary to record calls (for quality control or regulatory purposes), appropriate technology must be introduced to prevent the recording of these elements.
- Personal Account Numbers (PAN, or the long card number) must not be held in a manner accessible to others and should be masked in part if/when displayed (e.g. last 4 numbers only).
- Encryption should be used when storing or transmitting sensitive data, including the need to avoid using unencrypted VoIP telephone systems.
- Agents and homeworkers who have access to card details should be tightly supervised to ensure that they are not able to store or transmit sensitive client data (known as ‘clean rooming’).
What a payment security expert says:
Kevin Dowd, PCI DSS QSA & Group Chairman, CNS
What consumers say
- 77% view call center agents as a source of potential fraud
- 56% are reluctant to purchase a product or service when faced with making a payment over the phone
- 72% feel organizations should be doing more to prevent credit and debit card fraud
- Only 1% feel that paying by card over the phone is the most secure form of card payment
- 49% feel technology should be used to hide credit card details from call center agents
What contact center IT & Ops managers say
- 47% agree that their organization loses sales because their phone payment systems are not secure
- 62% agree that they too were reluctant to make payments over the phone in their personal life
- 46% say they will trial a PCI-secure payments system in the next year
- 74% will consider hosted (or ‘cloud’) secure payment systems