The Insiders’ Guide to Contact Centre PCI Compliance
With PCI guidelines and explanations being in a constant state of flux, we wanted to put together a short guide to explain everything you may need to know about what being PCI DSS Compliant really means.
PCI Compliance Explained
The Payment Card Industry Data Security Standard (PCI DSS) is in its simplest form a set of requirements designed to ensure all companies that process, store or transmit payment card information, whether they are credit, debit or prepaid cards, do so in a secure environment. The PCI DSS was set up by some of the major payment card brands and currently covers all payment cards from American Express, Discover, JCB, MasterCard, and Visa International. It’s important to mention that PCI DSS does not apply only to the physical processing of a card. Acquiring the card and cardholders details over the phone, website or mobile app, falls under the same regime.
Some PCI requirements which hold the greatest relevance include:
1. Protecting stored cardholder data
2. Encrypting transmission of cardholder data across open, public networks
3. Maintaining a policy that addresses information security
There are two main drivers for being PCI DSS compliant. The first is that if a non-PCI DSS compliant business suffers a data breach and loses card/cardholder data, it may be liable for Card Scheme fines, covering the fraud losses incurred against these cards, and it may even be barred from the card acceptance programme and get placed in the Terminated Merchant File (TMF) – in essence a blacklist where it is very nearly impossible to be removed from. The second driver is reputation and the associated costs that will incur if a business fails to a) provide its customers with a secure environment for their transactions and b) protect their details for the designated period of time against any fraudulent attack.
Which sectors are affected by PCI Compliance?
PCI DSS essentially applies to all businesses that process, store or transmit payment card information – regardless of the volume or the amount of transactions and regardless of the medium via which the transaction takes place (pos terminal, online form, telephone etc). Taking this into consideration, almost all sectors need to worry about PCI Compliance – from the Travel & Transport industry which takes payments over the phone for last minute holidays and package deals, to the Leisure industry where bookmakers are handling bets and taking payments for popular sporting events. In short, any business regardless of industry or size that handles in any way payment card details, need to implement all of the relevant controls in PCI DSS.
Solutions for Contact Centre PCI Compliance
It’s worth re-capping the different solutions available that can be used in conjunction with call recording to help you meet your PCI Compliance needs:
1. Automate Payment
A common option for PCI compliance is to pass the call to a self-service (IVR) solution at the point that the payment is taking place. The advantage automated payment offers is that by eliminating the agent from the loop there is no danger of sensitive information being recorded. The potential disadvantage here is that for organisations selling products, or even for those processing charitable donations for example the handover to the IVR system can have an impact on the sale. Handing the caller over to an automated system takes the agent out of the loop, reducing the amount of completed transactions.
2. DTMF Suppression
DTMF suppression works its wonders by capturing the DTMF tones and altering them so that the cardholder details (such as cardholder name, expiration date and service code) are not identifiable by the agent, the recording environment as well as any unauthorised person who may be listening in. The customer is able to input their card information using their own telephone keypad, with the generated DTMF tones then being altered or removed.
3. Automated Pause & Resume
With this approach, PCI compliance is achieved by ensuring the recording system stops during the payment process when sensitive customer information is being given. This can be achieved by integrating the call recorder with the agent desktop or other transactional systems being used. Automated pause & resume ensures that when the agent enters the payment details screen, a trigger is generated to the recorder in order to stop recording. Once payment has been passed beyond the payment screen, a second trigger is generated to restart recording. Although rarer in nature, another similar option is to mute / unmute the call recordings rather than pause and resume, however this solution is dependent on the recording system that is currently in place.
What to take into consideration when becoming PCI Compliant
There is usually a common misconception that in order to become PCI Compliant you are able to buy an off-the shelf-solution that will meet all your requirements. This is not the case. Firstly, it is not the recorder that is PCI DSS compliant but rather the way you deploy it. Secondly, the combination of your business nature, your processes, the transactional systems you currently use and your recorder makes every single case unique.
Although the most effective way to ensure you are PCI Compliant involves making changes to the way you record calls, there still may be some confusion as to how compliance is achieved. Many promoted approaches sometimes do not result in PCI Compliant recording. Here are a few to watch out for:
Password protecting your recorder
Although limiting access to your recording platform and providing each user with a personal login and password is good systems management practice, this still does not constitute PCI DSS Compliance.
Encryption
Initially a common belief was that if you encrypted the recordings this would comply with PCI DSS. Further clarification has proven that it is only the Primary Account Number (PAN) that can be retained in an encrypted format. Sensitive Authentication data such as the CVV / CV2 number cannot be stored, whether this be encrypted or not.
Audio Masking
With this option, an audio tone is inserted over the section of the call when the payment is being processed, similar to that of a TV bleep machine. While this may seem compliant, sensitive data is still being retained and therefore does not adhere to regulations.
In order to be PCI Compliant there are also four levels of compliance to watch out for which have been authorised by the card issuers. These levels of compliance differ according to your business needs and have been actioned according to the volume of card transactions completed over a 12 month period.
PCI Compliance Level 1
If over 6 million Visa/Mastercard transactions are processed per year.
PCI Compliance Level 2
If over 1 million to 6 million Visa/Mastercard transactions are processed per year.
PCI Compliance Level 3
If over 20,000 to 1 million Visa/Mastercard e-commerce transactions are processed per year.
PCI Compliance Level 4
If less than 20,000 Visa/Mastercard e-commerce transactions are processed per year as well as other companies that process up to 1 million Visa/Mastercard transactions per year.
Companies that meet the level 1 requirement must have yearly on site reviews by an internal auditor as well as a required network scan. This should be completed by an approved scanning vendor. Companies that meet levels 2, 3 and 4 are obliged to annually complete the PCI DSS Self-Assessment questionnaire. Alongside this, they also need to undergo quarterly network scans accompanied with an approved scanning vendor.
What are some of the implications of being non-compliant
The consequences of being non-compliant can mean serious implications for an organisation. Here we list a few:
Monthly fines for non-compliance
Payment Card providers (who also form part of the PCI Security Standards Council) at their discretion can impose hefty penalties for non-compliance. Fines can range anywhere from £3, 500 to £250,000. A rather large penalty to pay.
Withdrawal of Merchant Services
The ultimate penalty. This essentially entails the withdrawal of their Merchant ID. For any organisations that rely on taking card payment from customers this is the ultimate price for them to pay.
Loss of customer confidence
While being PCI Compliant is extremely important, the trust your customers place in you should not be overlooked. It is the organisations responsibility to protect each and every customer’s personal details. Providing your customers with the confidence that you are safeguarding their highly personal information is crucial.
How much should I budget for achieving PCI Compliance in the contact centre?
Costs for becoming PCI Compliant vary from business to business and are reliant on a range of different factors including business type, number of transactions processed, active IT infrastructure as well as existing debit/credit card processing and storage procedures.
Here are a few variables explained in more detail that will factor into the cost of being compliant:
Business Type
Depending on whether you are a franchise or a service provider as examples each will have varying amounts of sensitive customer details as well as varying risk levels which will mean different requirements for being PCI Compliant.
Organisation size
The larger the organisation the larger the amount of variables which can go wrong. Large amount of staff members means large amounts of customers which also mean large amounts of cardholder details being processed.
Organisation environment
The programs already in use, the make and model of the desktops and the kind of firewalls that are being used – these can all affect the cost of PCI Compliance.
From a recording standpoint, the costs for PCI Compliance depend on which solution is chosen. Automated PCI using desktop triggering for example can range from approximately £7,000 to £30,000 depending on the recording solution.
For the Application Programme Interface (API) the software costs can also vary (ranging anywhere from £7,000-£20,000 depending on the solution) but there will be additional costs for development of the API interface itself. However, it is worth considering that the API method may not always be appropriate as the payment application may be an external application. API is best suited to ‘home-grown’ payment applications.
*Original answers provided by Business Systems for Call Centre Helper – ‘An Introduction to PCI Compliance’ – 2016.
