The 5 things you need to know about PCI DSS compliance in your contact centre
The Payment Card Industry Data Security Standard (PCI DSS) requires that organisations which process credit card data must achieve and be able to demonstrate compliance across 12 highly defined areas of cardholder data management and privacy. Established for some years, this is a worldwide standard and doesn’t just apply to large enterprises, but also SMEs who do not always make headline news when a security breach occurs.
Failure to achieve compliance can lead to more than just fines. An organisation that handles payment card transactions and has suffered a suspected breach can be investigated by a PCI Forensic Investigator (PFI), leading to a detailed assessment of the organisation’s network and processes, and the full financial liability for that investigation. Such a breach can easily cost a minimum of several hundred thousand pounds in remediation work, fines, consequential liabilities and even result in financial institutions terminating their relationships with the company that allowed the breach to occur – and that’s without the cost of reputation loss and damage to the brand.
The benefits of working with PCI DSS certified service providers include giving end customers the confidence that their financial information is being protected, employees the reassurance that they are not being inadvertently exposed to customer data, and organisations the ability to demonstrate that they care about customer experience and compliance.
As a PCI DSS Level 1 certified service provider, Ultracomms are experts in PCI DSS compliance. We’ve put together a few tips on what you really need to know if you handle card payments over the phone.
1. Compliance and certification are not the same thing – While many organisations claim to be compliant, to be certified by the Payment Card Industry Security Council requires an organisation’s technology, network, and internal processes to be audited by an independent Qualified Security Assessor (QSA), and a Report on Compliance (RoC) document issued.
2. Certification can be expensive, but costs vary – Achieving full certification can run into a six figure sum. However, by choosing to work with a service provider that has already achieved PCI DSS level 1 certification (such as Ultracomms), it’s possible for an organisation to gain its own certification for a fraction of the cost and in a much shorter time-frame, using the Self-Assessment Questionnaire (SAQ) process.
3. The right technology can help – Advances in technology can simplify the process of PCI DSS compliance. DTMF (dual-tone multi-frequency) clamping technology completely masks the customer’s payment information from entering the contact centre and makes screen and call recording safe for organisations.
4. Certification doesn’t happen overnight – With the correct processes and technology in place, it is possible to achieve PCI DSS compliance in as little as 6-8 weeks, but given that there may be variables and unknown factors, it is advisable to plan for a longer timeframe.
5. Don’t forget to factor yearly reassessment into PCI DSS strategies – Once achieved, PCI DSS certification requires ongoing maintenance, an annual inspection and the provision of evidence by the organisation for evaluation by the third party tester before certification is re-confirmed.
Achieving PCI DSS certification is not a straight forward process, but the benefits far outweigh the effort involved, with the end result – far greater security for consumers, organisations, and their employees.