10 Keys to PCI Compliance in the Call Center

If the Target data breach has taught us anything, it’s that failing to protect customer privacy can result in serious fines and reputation issues. During the 2013 holiday season, Target confirmed publicly that credit and debit card information for 40 million of its customers had been compromised (as well as email and mailing addresses for an additional 70 million) and the company has since reported spending $61 million related to the breach.

To ensure the safe handling of information and protect customers against identity theft, the five major credit card companies developed the Payment Card Industry Data Security Standard (PCI DSS) in 2006. For contact centers, this means certain portions of sensitive cardholder information cannot be stored, even in the most secured fashion.

What is PCI Compliance?

PCI DSS compliance refers to a company’s adherence to a set of security regulations created in 2004 to protect consumers against the misuse of their personal information shared during a cash, credit or debit card transaction. The PCI DSS was a joint creation by four of the world’s largest credit card companies: VIsa, MasterCard, Discover, and American Express.

The PCI DSS has six major objectives.

• Secure Network: Companies who store sensitive cardholder information must secure their network with robust firewalls and strict security controls.
• Encryption: Cardholder information stored on a company’s system must be encrypted.
• Security Software: Companies must protect their data against threats from malicious parties using antivirus software, anti-spyware programs, and other malware protection solutions.
• Restricted Access: Companies must restrict access to sensitive data to only those who need to access it.
• Network Monitoring: Network’s must be tested regularly to ensure they remain compliant.
• Documented Security Policy: Companies must draw up and adhere to a formal information security policy.

PCI Compliance Best Practices

So how can call centers remain PCI compliant and instill customer confidence that data is being protected? Here are 10 key ways:

1. Redaction: According to the PCI Security Standards Council, recorded calls are subject to the same rules as any other method of capturing and storing customer card authentication data. Some recording systems provide call center agents with a button, allowing them to pause the recording when credit card numbers are spoken, while others integrate with the CRM system to automatically pause the recording based on actions taken by the agent. CallMiner Redactor operates on data, meaning it does not depend on a change in payment processing, agent intervention, or integration with the CRM system. Instead, it uses speech analytics technology to prevent sensitive cardholder data from being recorded; call recording is automatically muted when account numbers, security codes, and other sensitive information is spoken. Because Redactor prevents you from recording sensitive payment information, calls are not in scope for a PCI audit. Learn more about what speech analytics is and how it can help your business.
2. Network Security: It’s also critical to ensure an entire network system is compliant with PCI guidelines. This begins with an effective firewall and router, as well as internal processes that provide additional layers of protection. All traffic from unsafe networks and hosts should be restricted, and there should never be any direct access between any network component containing cardholder data and the Internet.
3. Role-Based Security: In any contact center environment, agent and supervisor desktops should have role-based log-ins to limit the number of staff exposed to sensitive data and ensure individual staff members only have access to what they need to do their job. A Contact Center World white paper on security and PCI compliance in cloud-based contact centers offers an example of how this might work: “A sales representative might be able to view customer details, but they may not be able to update or delete them. A team supervisor may be able to view the performance of the team that they are assigned to, but they (supervisor) should not be able to view the performance of other teams within the same Contact Center or project.”
4. Additional Security Considerations: In addition to role-based security, contact centers should also consider the points at which any staff comes in contact with data to ensure proper security and compliance. Carl Adkins of Infinity CSS maintains that access to sensitive customer and payment data should be restricted (e.g., limiting access to key areas of the building by adopting an RFID card system). “You should [also] make sure that all of your access passwords are strong (e.g., a mix of numbers, and lower- and upper-case characters) and are changed regularly,” says Adkins in a Call Centre Helper article on PCI compliance.
5. PCI Compliance Information: Any organization that stores, processes, and transmits cardholder data must meet PCI compliance regulations. The PCI DSS policies for call centers, which contain all necessary policies, procedures, forms, checklists, templates, and other supporting material, is now available for instant download. Make sure you know all the rules.

Learn more about what speech analytics is and how it can help your business by downloading our white paper, 10 Ways Speech Analytics Empowers the Entire Enterprise.

6. Use Whiteboards Instead of Pen and Paper: One of the easiest ways to stay PCI compliant is to stop your agents from using a pen and paper and use a whiteboard instead. This step will limit the physical storage of customer details. Just be sure to maintain a number of white board rules like ensuring they cannot be removed from an agent’s desk and also ensuring that they are cleaned regularly.

7. Outlaw Mobile Phones in the Contact Center: Another really straightforward and sometimes overlooked step is to ban mobile phones in the call center. By taking this step you can eliminate any potential for sensitive call center information being leaked onto an agent’s personal device.

8. Encrypt Sensitive Data: When it comes to sensitive business data storage, encryption is an accepted best practice. In the case of PCI compliance, it is essentially a requirement. While the PCI regulations don’t mention encryption explicitly, they do say any cardholder information should be stored using “strong cryptography with associated key-management processes and procedures.” It is worth remembering PCI Requirement 3 states that no CVV code may be stored at all. However, if the business requires other cardholder information like name, account number, and expiry date, they are allowed to store it so long as they meet a number of conditions concerning the level of encryption and key management.

PCI compliance requires a strong level of encryption with a minimum key strength of 256 bits. In terms of key management, a PCI compliance best practice is that the company storing the cardholder data should not have access to the key. If decryption is essential, there must be a documented set of processes in place that covers things like key distribution, storage, and named custodians.

9. Continuously Enforce PCI DSS Compliance: An all-too-common pitfall, call centers fall into is viewing PCI DSS compliance as an annual exercise. This approach can lead to problems and potential compliance failure. Instead PCI DSS compliance should be looked at as an ongoing process. Managers should make sure controls are continuously enforced.

One of the main reasons for taking this approach is because PCI DSS standards are often updated – with the most recent version 3.2 published in April 2016. The update added a number of requirements including multi-factor authentication for cardholder data access and new rules on displaying card numbers.

10. Agent Training: PCI DSS compliance should be factored into agent training. Coaching should also be provided to agents on an ongoing basis especially those who have demonstrated risky behaviors that could possibly result in compliance failure. Managers should sit in on calls with underperforming agents and help them remain compliant at all times.

Frequently Asked Questions About PCI Compliance

Who is Affected by PCI Compliance?

Any business or organization which “accepts, transmits or stores” cardholder data.

Are there levels of PCI Compliance?

Yes, there are four levels. These levels are based upon the number of card transactions, including:

• Level One: More than 6 million card transactions annually
• Level Two: 1 to 6 million transactions annually
• Level Three: 20,000 to 1 million transactions annually
• Level Four: Fewer than 20,000 card transactions annually

Are payments made by phone covered under PCI compliance?

Yes. There are some caveats, but these transactions need to comply.

Experts Weigh in On PCI Compliance

1. Remember tokenization. “Tokenization is an important part of maintaining PCI compliance for small business. Tokenization replaces credit card information with a unique token, and the original credit card data is no longer used for future transactions. Tokenization makes it impossible to hack or decipher your credit card data. This ensures that all of your sensitive credit card data is securely protected at all times.” – Brian Chester, What Does PCI Compliance Mean for Your Business?, Century Biz Solutions; Twitter: @CenturyBizSolut  

2. There are many consequences to security incidents. “Being out of compliance can lead to serious security incidents so to avoid the risk of data breaches that could highly damage your brand – it’s better to comply with PCI standards.

“There are also other reasons.

“You need to know that every breach comes with more checking and validating your business to find out if you’re PCI compliant. Keep in mind that non-compliant companies face heavy fines as a consequence. Consumer fraud resulting from data breaches comes with losses incurred by issuing banks, so a company that doesn’t protect payment card information well enough needs to pay the estimated losses.” – Sandra Wróbel-Konior, Do I need to be PCI Compliant?, SecurionPay; Twitter: @SecurionPay

3. It’s not just about your handling of cardholder data. “In order to maintain PCI compliance, you must also engage with PCI compliant credit card processors and banks. The data you protect only matters if that data remains protected across the entire transaction life cycle.

“First, you need to employ good data security practices inside your organization and have regular internal audits and quality monitoring of your PCI compliant data. Here are some specific controls you can implement that will help protect your PCI data.” – Jeff Petters, What is PCI Compliance: Requirements and Penalties, Varonis; Twitter: @varonis

Final Thoughts

In today’s digital world, large-scale security breaches are all too common. If your contact center agents take payment over the phone, adhering to PCI DSS security requirements is critical to protecting against fraud and complying with TCPA safe harbor is important in instilling customer confidence in your business.

Download our comprehensive report on how to prevent fraud with AI!

Following PCI best practices is paramount for better customer trust, but don’t forget following first-call resolution best practices is also essential for building customer loyalty and trust.

Related article: https://callminer.com/blog/interaction-analytics-pci-compliance-call-centers/

Additional Resources

To learn more about PCI DSS and what your call center can do to remain compliant, check out the following resources.

4 Call Center Compliance Traps – and What You Can Do About Them Maintaining Compliance in Inbound Customer Service Call Centers PCI DSS Offers Call Center PCI Compliance Tips PCI Security Standards Overview How Do You Make Your Call Center PCI Compliant?PCI Call Centre: Understanding PCI DSS call recording requirements 5 Ways to Achieve Call Center PCI Compliance

What are the most important considerations for maintaining PCI compliance for your call center?