Achieving Contact Centre PCI Compliance From Home

Achieving Contact Centre PCI compliance from home – Geoff Forsyth, CISO at PCI Pal, explains what contact centres can do to achieve this.

For contact centre businesses now working remotely, the need to quickly adapt to provide a consistent level of customer service, including the ability to handle transaction payments and adjust PCI compliance strategies accordingly, has been key.

While the concept of working from home is not new, Contact Babel’s recent Inner Circle Guide to Contact Centre Remote Working Solutions, reported that just 4% of UK-based contact centre agents were working remotely full time up until recently.

The survey of over 200 UK contact centres stated that 26% of respondents had sworn off remote working altogether in 2019, making the lockdown brought upon us by the pandemic a rude awakening for many businesses operating contact centres.

From a PCI compliance point of view, the majority of what I call ‘Band-Aid’ PCI compliance solutions, known as compensating controls such as cleanroom environments, are just not feasible in a remote working situation. The alternative ‘pause and resume’ methods have the potential to expose staff members to customers’ payment card information, therefore creating an unnecessary potential risk.

Taking steps such as multi factor authentication, only to use business hardware and devices, and training staff to understand the risks associated with working remotely do go some way to securing credit card data, but much like using compensating controls they are not enough as credit card data can still be seen and heard.

So, what can contact centres do to ensure that PCI Compliance is achieved and maintained when working remotely?

In today’s business environments, the use of cloud-based solutions opens up access to tools and applications that would have previously only been accessible on internal company servers. Now, remote working staff can log in from anywhere and continue to take payments securely and safely using existing PCI compliant solutions using DTMF masking technology.

Customers enter their credit card information using their telephone keypad, and, as card details are masked both audibly and visually, it means that credit card data cannot be compromised by the agent. It also means the card information is transmitted directly from the cloud to the payment service provider for processing, so no credit card information enters the company’s environment.

Importantly, homeworking staff are not exposed to any data, protecting the customer, the business and the homeworker from related risks.

Having just conducted a survey in the UK, we asked whether since the Coronavirus pandemic, people are concerned about sharing payment details to businesses operating remotely or from home, and 75% expressed some form of concern.

A third (33%) also said that if their personal data was compromised as a result of poor data security practices during COVID-19, they would avoid using the services or purchasing from the business for several years, demonstrating the significant risk of reputation and future revenues if payment or data security and compliance is not handled correctly.

At a time when cyber criminals threats are high as they look to exploit the latest working-from-home model, my advice is that if you have any concerns about your ongoing compliance, to seek advice from specialists who can steer you in the right direction to PCI compliance, whether working remotely or back on site.