Some Pitfalls of PCI DSS & GDPR to avoid for Contact Centres

Some pitfalls of PCI DSS & GDPR to avoid for contact centres and remote workers – Syntec
If you’re holding payment card data within your organisation’s contact centre environment (for instance in call recordings, or in your network as transactions are made) you’re always at risk from a data breach, even if you’re PCI  and GDPR compliant.
Many organisations have shifted calls and transactions to remote workers and outsourcers due to the COVID-19 pandemic, so it’s even more important to remember that PCI and GDPR aren’t magic bullets.  They cannot guarantee your organisation will not be the victim of a data breach or from personal information such as payment card data being compromised, especially if you’ve shifted some or all contact centre operations to a less supervised environment.

Fraudsters are becoming much more sophisticated in the ways they access sensitive payment card information and such attacks are on the rise, as we have written about before on this blog. Many well-known organisations have fallen victim and have had customers’ card details accessed by criminals.  Most experts agree that these days it’s not a question of if you will get breached, but rather when.

Some of the most common ways in which card data can be accessed are:

– Insider fraud – a contact centre agent is able to access customers’ card details either by hearing or seeing them and then goes on to misuse them in some way themselves, or to sell such details on to other criminals

– Errors – staff members accidentally share card data by mistake or there are bugs in systems that enable such details to be accessed from outside of the organisation

– Hacks – malicious hackers are able to breach an organisation’s security systems and access data which includes card data, such as in call recordings.

There’s even a warning we’ve read about recently entitled ‘The secret fight for your personal information’ about the US courts being used to try to gain access to personal information (which for the purposes of GDPR includes payment card data).

If you’re storing card data within your organisation then you could therefore be vulnerable to data being accessed in one of these ways, even if you’re PCI and GDPR compliant. The only way to guarantee card data can’t be accessed is by stopping it entering this environment in the first place. We always recommend this strategy, as do most payment security experts, as there are a number of reasons why we believe it’s the only sensible approach.

 1. Securing payment card data yourselves is a never-ending task

Managing payment card data security compliance yourself is a huge task and also represents a moving target. As fast as you find technological ways to close loopholes and protect yourself from data being accessed in one area – for instance by eliminating card data in call recordings – fraudsters and hackers will find new vulnerabilities to exploit in other areas. If you let card data enter your network or your agents have access to customers’ card numbers, then you’re going to be involved in a constant battle to keep it secure. There will never come a time when you can relax or feel safe from the risk of this data being compromised.

 2. Securing payment card data yourselves is complicated

If you’re securing data yourselves then your whole contact centre environment is going to be embedded into your compliance processes. When the regulations or requirements change it can be hugely expensive to implement the changes, as so many things may need to be unpicked in your contact centre and rebuilt to the new specifications. PCI and GDPR compliance can end up sucking up a massive amount of IT and project management resource that could be made available for other more valuable projects, if you didn’t need to worry about keeping card data secure.

 3. Securing payment card data yourselves limits your flexibility

Many contact centres want or need to be able to make use of home workers or outsourcers. It’s a common way to manage costs, access the right skills and manage variable call volumes, as well as a necessary move to handle the COVID-19 pandemic for many organisations. However, if you’re holding card data within your organisation’s systems, then this can lead to significant security and training challenges when it comes to managing remote workers and outsourcers. Eliminating the card data from your call or centre environment makes it much easier to take on remote workers when you need them, without having to worry about the implications for card data security.

 4. Securing payment card data yourselves is expensive

It’s extremely expensive to keep data secure yourself, as is the cost of demonstrating that your data is secure in order to achieve PCI compliance. You’ll have to invest substantial sums of money in software and other technological solutions and, as already discussed, the continually changing nature of the threat means that you’ll need to keep updating these solutions and investing both time and money to ensure that your systems and processes are up to date and that your staff are trained. There’s also the cost of insuring against cybercrime which is getting ever higher.

 5. Being breached can be an expensive disaster for an organisation

The cost of securing your data may be high, but the potential cost of a breach is higher still.

The direct costs associated with the breach include the costs of:

– Investigating how it happened

– Closing whatever security hole caused it

– Compensating the victims and paying fines

– Increased insurance premiums.

However, you’re also hit with indirect costs such as damage to your brand and lost customer trust, which can be incalculable.

So, what’s the solution?

At Syntec, we firmly believe that the best way to deal with sensitive payment card data in your organisation is not to have to deal with it at all.

This view is supported by many payment security experts and also the global PCI Security Standards Council, whose  2018 guidelines on protecting telephone-based payment card data state:

“For organizations committed to taking payments over the telephone, consideration should be given to techniques that minimize exposure of PAN (long card number) and SAD [3 or 4 digit security number] to the telephone environment and balance that with user/customer experience requirements, with the object of significantly reducing the CDE [cardholder data environment] or eliminating the CDE altogether.”

 

 

Syntec’s CardEasy solution enables you to take card payments in your contact centres and by remote workers without the customer’s card details ever entering your own environment or systems. Whether you take payments by phone or via digital channels such as e-mail, SMS  webchat or social media, you can’t be at risk of a breach of the card payment data because you’ll no longer be privy to that data – and you will also be seen to have adopted ‘appropriate technical measures’ to be compliant, as required by the PCI DSS standards.  And most importantly, you won’t be faced with the never-ending task of trying to keep that very sensitive customer data secure.

For additional information on Syntec view their Company Profile