PCI Compliance made simple using the power of the Cloud by Curtis Nash, CEO of Cognia
As of July 1, 2015, the Payment Card Industry Data Security Standard (PCI DSS) 3.0 has been officially retired and replaced with the new standard, PCI DSS 3.1.This latest version has a subsequent number of checks to comply with.
Failure to comply can lead to additional processing fees and, in the case of a breach, huge fines – not to mention the loss of reputation and damage to business that comes from exposing your customers’ payment details to hackers.
De-scope your way to compliance
An option that not only manages both costs and risks – is to vastly reduce the size of the Cardholder Data Environment (CDE). This is done by ‘de-scoping’, which simply means ensuring that as few of the company’s systems and people as possible come into contact with payment data.
How the Cloud enables de-scoping
When a company outsources some part of the payment process to a Cloud Services Provider (CSP) – whether that’s data capture, processing of payments, or storage of cardholder data – the PCI compliance responsibility for that part of the process passes from the client to the supplier.
For example, if a company that takes payments online diverts its customers to a third-party online processor, or an off-site service such as PayPal, it removes its own website and the infrastructure on which it runs from the scope of PCI compliance.
Similarly, taking phone payments using a cloud-based DTMF suppression payment processing solution (more on exactly what that is shortly), such as the one provided by Cognia, can de-scope over 92% of the contact centre, dramatically lowering the cost of PCI compliance while improving security.
IaaS, PaaS and tokenisation
Outsourcing the infrastructure on which the CDE operates to a Cloud Services Provider can reduce the amount of work needed to comply with at least 10 of the 12 main PCI requirements. The CSP can provide or manage a lot of the facilities needed to help meet many of the requirements, including maintenance of firewalls around cardholder data, encryption of data in transmission, use of anti-virus software, and restriction of physical access to data.
To almost completely de-scope it’s possible to ensure that cardholder data doesn’t enter even the company’s Cloud systems. A third party payment processor can use tokenisation, where credit card data is encrypted when it leaves the customer’s device and all that is recorded in the company’s own systems – whether these are in the Cloud or in-house – are meaningless strings of numbers; the real data goes to the processor’s systems.
De-scoping the contact centre
Having customers speak their card details to an agent, who then types them in to an application on their desktop, is not PCI compliant. Doing it is asking for a world of trouble, and yet over 66% of all contact centres still take payments this way.
IVR payment processing systems – where the agent diverts the customer to an automated service – do half the job but still leave parts of the contact centre infrastructure exposed to customer card data.
A DTMF suppression payment processing solution, outsourced to a Level One Service Provider like Vodafone partner Cognia, can simplify PCI compliance from hundreds of checks and audits to a simple questionnaire of thirteen ‘yes’ or ‘no’ questions.
This solution works by ensuring that payment details never enter the contact centre ecosystem. Like IVR processing the caller is redirected to give payment details, however the conversation with the agent is able to continue while they do.
The defining feature is that payment information is entered by the customer using their telephone keypad, and the resulting tones are suppressed before they reach the call recording system (and the agent), to prevent the storage of card authentication information. Furthermore, the payment details are sent to the outsourced provider’s systems, where they are communicated to the merchant, so no details are stored on internal systems.
Manage costs and risks
Whether you take payments online, or in your contact centre, or both, PCI compliance is necessary to protect both your company and your customers. Making use of the Cloud can enable you to mitigate your risks and manage your costs at the same time.
Curtis Nash is CEO of Cognia
For additional information visit the Cognia Website