10 Keys to PCI Compliance in the Contact Centre – Scott Kendrick of CallMiner offers essential tips on how your contact centre and agents can become fully PCI compliant
If the Target data breach has taught us anything, it’s that failing to protect customer privacy can result in serious fines and reputation issues. During the 2013 holiday season, Target confirmed publicly that credit and debit card information for 40 million of its customers had been compromised (as well as email and mailing addresses for an additional 70 million) and the company has since reported spending $61 million related to the breach.
To ensure the safe handling of information and protect customers against identity theft, the five major credit card companies developed the Payment Card Industry Data Security Standard (PCI DSS) in 2006. For contact centres, this means certain portions of sensitive cardholder information cannot be stored, even in the most secured fashion.
So how can call centres remain PCI compliant and instill customer confidence that data is being protected?
Here are 10 key ways:
According to the PCI Security Standards Council, recorded calls are subject to the same rules as any other method of capturing and storing customer card authentication data.
Some recording systems provide call centre agents with a button, allowing them to pause the recording when credit card numbers are spoken, while others integrate with the CRM system to automatically pause the recording based on actions taken by the agent.
CallMiner Redactor operates on data, meaning it does not depend on a change in payment processing, agent intervention, or integration with the CRM system. Instead, it uses speech analytics technology to prevent sensitive cardholder data from being recorded; call recording is automatically muted when account numbers, security codes, and other sensitive information is spoken. Because Redactor prevents you from recording sensitive payment information, calls are not in scope for a PCI audit. Learn more about what speech analytics is and how it can help your business.
Network Security: It’s also critical to ensure an entire network system is compliant with PCI guidelines. This begins with an effective firewall and router, as well as internal processes that provide additional layers of protection. All traffic from unsafe networks and hosts should be restricted, and there should never be any direct access between any network component containing cardholder data and the Internet.
Role-Based Security: In any contact centre environment, agent and supervisor desktops should have role-based log-ins to limit the number of staff exposed to sensitive data and ensure individual staff members only have access to what they need to do their job.
A sales representative might be able to view customer details, but they may not be able to update or delete them. A team supervisor may be able to view the performance of the team that they are assigned to, but they (supervisor) should not be able to view the performance of other teams within the same Contact Centre or project.”
Additional Security Considerations: In addition to role-based security, contact centers should also consider the points at which any staff comes in contact with data to ensure proper security and compliance.
PCI Compliance Information: Any organization that stores, processes, and transmits cardholder data must meet PCI compliance regulations. The PCI DSS policies for call centers, which contain all necessary policies, procedures, forms, checklists, templates, and other supporting material, is now available for instant download. Make sure you know all the rules.
Use Whiteboards Instead of Pen and Paper: One of the easiest ways to stay PCI compliant is to stop your agents from using a pen and paper and use a whiteboard instead. This step will limit the physical storage of customer details. Just be sure to maintain a number of white board rules like ensuring they cannot be removed from an agent’s desk and also ensuring that they are cleaned regularly.
Outlaw Mobile Phones in the Contact Centre: Another really straightforward and sometimes overlooked step is to ban mobile phones in the call center. By taking this step you can eliminate any potential for sensitive call center information being leaked onto an agent’s personal device.
Encrypt Sensitive Data: When it comes to sensitive business data storage, encryption is an accepted best practice. In the case of PCI compliance, it is essentially a requirement. While the PCI regulations don’t mention encryption explicitly, they do say any cardholder information should be stored using “strong cryptography with associated key-management processes and procedures.” It is worth remembering PCI Requirement 3 states that no CVV code may be stored at all. However, if the business requires other cardholder information like name, account number, and expiry date, they are allowed to store it so long as they meet a number of conditions concerning the level of encryption and key management.
PCI compliance requires a strong level of encryption with a minimum key strength of 256 bits. In terms of key management, a PCI compliance best practice is that the company storing the cardholder data should not have access to the key. If decryption is essential, there must be a documented set of processes in place that covers things like key distribution, storage, and named custodians.
Continuously Enforce PCI DSS Compliance: An all-too-common pitfall, call centers fall into is viewing PCI DSS compliance as an annual exercise. This approach can lead to problems and potential compliance failure. Instead PCI DSS compliance should be looked at as an ongoing process. Managers should make sure controls are continuously enforced.
Agent Training: PCI DSS compliance should be factored into agent training. Coaching should also be provided to agents on an ongoing basis especially those who have demonstrated risky behaviors that could possibly result in compliance failure. Managers should sit in on calls with underperforming agents and help them remain compliant at all times.
In today’s digital world, large-scale security breaches are all too common. If your contact center agents take payment over the phone, adhering to PCI DSS security requirements is critical to protecting against fraud and complying with TCPA safe harbor is important in instilling customer confidence in your business. Following PCI best practices is paramount for better customer trust, but don’t forget following first-call resolution best practices is also essential for building customer loyalty and trust.
Scott Kendrick is Vice President of Marketing at CallMiner