25 tips for optimizing your contact center's QA practices
Quality assurance does more than ensure regulatory compliance, it helps contact centers deliver the best outcomes for customers. Read our blog for tip...
The Team at CallMiner
April 18, 2014
If the Target data breach has taught us anything, it’s that failing to protect customer privacy can result in serious fines and reputation issues. During the 2013 holiday season, Target confirmed publicly that credit and debit card information for 40 million of its customers had been compromised (as well as email and mailing addresses for an additional 70 million) and the company has since reported spending $61 million related to the breach.
To ensure the safe handling of information and protect customers against identity theft, the five major credit card companies developed the Payment Card Industry Data Security Standard (PCI DSS) in 2006. For contact centers, this means certain portions of sensitive cardholder information cannot be stored, even in the most secured fashion.
What is PCI Compliance?
PCI DSS compliance refers to a company’s adherence to a set of security regulations created in 2004 to protect consumers against the misuse of their personal information shared during a cash, credit or debit card transaction. The PCI DSS was a joint creation by four of the world’s largest credit card companies: VIsa, MasterCard, Discover, and American Express.
The PCI DSS has six major objectives.
PCI Compliance Best Practices
So how can call centers remain PCI compliant and instill customer confidence that data is being protected? Here are 10 key ways:
Learn more about what speech analytics is and how it can help your business by downloading our white paper, 10 Ways Speech Analytics Empowers the Entire Enterprise.
Use Whiteboards Instead of Pen and Paper: One of the easiest ways to stay PCI compliant is to stop your agents from using a pen and paper and use a whiteboard instead. This step will limit the physical storage of customer details. Just be sure to maintain a number of white board rules like ensuring they cannot be removed from an agent’s desk and also ensuring that they are cleaned regularly.
Outlaw Mobile Phones in the Contact Center: Another really straightforward and sometimes overlooked step is to ban mobile phones in the call center. By taking this step you can eliminate any potential for sensitive call center information being leaked onto an agent’s personal device.
Encrypt Sensitive Data: When it comes to sensitive business data storage, encryption is an accepted best practice. In the case of PCI compliance, it is essentially a requirement. While the PCI regulations don’t mention encryption explicitly, they do say any cardholder information should be stored using “strong cryptography with associated key-management processes and procedures.” It is worth remembering PCI Requirement 3 states that no CVV code may be stored at all. However, if the business requires other cardholder information like name, account number, and expiry date, they are allowed to store it so long as they meet a number of conditions concerning the level of encryption and key management.
PCI compliance requires a strong level of encryption with a minimum key strength of 256 bits. In terms of key management, a PCI compliance best practice is that the company storing the cardholder data should not have access to the key. If decryption is essential, there must be a documented set of processes in place that covers things like key distribution, storage, and named custodians.
Continuously Enforce PCI DSS Compliance: An all-too-common pitfall, call centers fall into is viewing PCI DSS compliance as an annual exercise. This approach can lead to problems and potential compliance failure. Instead PCI DSS compliance should be looked at as an ongoing process. Managers should make sure controls are continuously enforced.
One of the main reasons for taking this approach is because PCI DSS standards are often updated – with the most recent version 3.2 published in April 2016. The update added a number of requirements including multi-factor authentication for cardholder data access and new rules on displaying card numbers.
Agent Training: PCI DSS compliance should be factored into agent training. Coaching should also be provided to agents on an ongoing basis especially those who have demonstrated risky behaviors that could possibly result in compliance failure. Managers should sit in on calls with underperforming agents and help them remain compliant at all times.
Who is Affected by PCI Compliance?
Any business or organization which “accepts, transmits or stores” cardholder data.
Are there levels of PCI Compliance?
Yes, there are four levels. These levels are based upon the number of card transactions, including:
Are payments made by phone covered under PCI compliance?
Yes. There are some caveats, but these transactions need to comply.
1. Remember tokenization. “Tokenization is an important part of maintaining PCI compliance for small business. Tokenization replaces credit card information with a unique token, and the original credit card data is no longer used for future transactions. Tokenization makes it impossible to hack or decipher your credit card data. This ensures that all of your sensitive credit card data is securely protected at all times.” – Brian Chester, What Does PCI Compliance Mean for Your Business?, Century Biz Solutions; Twitter: @CenturyBizSolut
2. There are many consequences to security incidents. “Being out of compliance can lead to serious security incidents so to avoid the risk of data breaches that could highly damage your brand – it’s better to comply with PCI standards.
“There are also other reasons.
“You need to know that every breach comes with more checking and validating your business to find out if you’re PCI compliant. Keep in mind that non-compliant companies face heavy fines as a consequence. Consumer fraud resulting from data breaches comes with losses incurred by issuing banks, so a company that doesn’t protect payment card information well enough needs to pay the estimated losses.” – Sandra Wróbel-Konior, Do I need to be PCI Compliant?, SecurionPay; Twitter: @SecurionPay
3. It’s not just about your handling of cardholder data. “In order to maintain PCI compliance, you must also engage with PCI compliant credit card processors and banks. The data you protect only matters if that data remains protected across the entire transaction life cycle.
“First, you need to employ good data security practices inside your organization and have regular internal audits and quality monitoring of your PCI compliant data. Here are some specific controls you can implement that will help protect your PCI data.” – Jeff Petters, What is PCI Compliance: Requirements and Penalties, Varonis; Twitter: @varonis
In today’s digital world, large-scale security breaches are all too common. If your contact center agents take payment over the phone, adhering to PCI DSS security requirements is critical to protecting against fraud and complying with TCPA safe harbor is important in instilling customer confidence in your business.
Download our comprehensive report on how to prevent fraud with AI!
Following PCI best practices is paramount for better customer trust, but don’t forget following first-call resolution best practices is also essential for building customer loyalty and trust.
To learn more about PCI DSS and what your call center can do to remain compliant, check out the following resources.
4 Call Center Compliance Traps – and What You Can Do About Them Maintaining Compliance in Inbound Customer Service Call Centers PCI DSS Offers Call Center PCI Compliance Tips PCI Security Standards Overview How Do You Make Your Call Center PCI Compliant? PCI Call Centre: Understanding PCI DSS call recording requirements 5 Ways to Achieve Call Center PCI Compliance
What are the most important considerations for maintaining PCI compliance for your call center?
Learn the latest TCPA regulations and compliance