The industry is well aware of the Payment Card Industry Data Security Standard (PCI DSS), which was designed to protect payment card information in any format in which it exists. While global organisations of varying sizes take a pointed approach to their PCI compliance, others are starting the journey and may seek to know and understand more about what’s required and just how to get there.
The contact centre is an area of particular vulnerability from a data security standpoint. These environments tend to be more data intensive with relatively high staff turnover. There also is an increasing consideration among companies that employ and manage remote workers. These employees, like their contact centre brick-and-mortar counterparts, have access to high degrees of private consumer information that may include credit card, personal identification and other sensitive data.
The following important “starter” tips review considerations that contact centres should take into account as they start to move toward achieving PCI DSS compliance.
1. Leverage the tools and resources available on the PCI Standards website
The standard itself, along with an abundance of guidance in the form of FAQs and supplemental guides, are provided by the PCI Security Standards Council (PCI SSC) website located at www.pcisecuritystandards.org. A recent area of concern has arisen around the Council’s position that digitally-recorded calls that contain payment card information are in-scope for PCI DSS.
Most contact centres record calls and review them for quality purposes, which is a great way to spot fraudulent behaviour and help ensure compliance with a variety of regulations. However, recorded calls that contain specific card information can also potentially be themselves used to perpetrate fraud. In March 2011, the PCI SSC released a supplement providing specific guidance for protecting telephone-based payment card data. This guide provides a decision process for protecting voice recordings in accordance with PCI DSS 2.0.
2. Engage with your contact centre technology vendors
Seek guidance from your technology vendors. They can share how their solutions can help assist in achieving PCI compliance. The PCI SSC fully supports the use of technologies involved in processing credit card transactions. Its goal is to ensure that payment system information is compliant. On the PCI SSC website, there is a list of payment applications that meet the Payment Application Security Data (PA-DSS) Standard, meaning they have been tested and approved as payment technologies that achieve PCI DSS guidelines for payment processing.
Selecting a tool from this list can enable the merchant organization to de-scope the application from the PCI audit and ensure compliance in that area. For technologies that are within scope for PCI DSS but not involved in the processing and settlement of payments and as such are ineligible for PA-DSS – such as call recording – those vendors should still have the resources to help you achieve PCI compliance leveraging their technology.
What you should be looking for in a recording solution is available file level, strong algorithm encryption, and the availability to automatically trigger the recording to pause and resume based on desktop activity in order to avoid the capture of sensitive authentication data, such as CVV2 codes.
3. Keep personal data confidential
Don’t just stop at protecting payment card information when increasing security across your datacentre. Remember that confidential data elements are identified in the 48 state breach disclosure laws and credit card data is just one item on that list. When you look at cost justifying mechanisms and what needs to be protected, think broader in terms of other types of personal data, such as social security numbers, driver licenses, birth dates, mother’s maiden names, medical records and more.
4. Don’t overlook physical layout issues
Traditional contact centre layouts that promote easy monitoring and access to supervisors can sometimes present unique challenges for contact centres. Do you have an open floor plan? If so, look at creating a “clearance” area for the contact centre agents authorised to take credit card numbers. This helps protect other agents from overhearing conversations or “shoulder surfing” – viewing sensitive on-screen information.
5. Take work-at-home agents into consideration
Remote workers, including contact centre agents, may have special requirements as related to PCI DSS. If you have work-at-home employees who have exposure to payment card information, careful security screening and processes are in order. Two-factor authentication (such as hardware “tokens”) is necessary to help ensure the approved employee is the person logging in and accessing secure information. Some companies are even instituting voice analysis technology to help ensure the person on the phone is the authorised employee.
Regardless, strict security policies, training and frequent audits are a must. Keeping remote agents on a separate segment of the company network by a firewall is an additional way to limit security and data breaches. Also, keep in mind that quality monitoring can serve as an effective tool to help ensure staff follow PCI compliance processes.
PCI DSS can present a challenge for organisations that need to comply. However, most data security experts consider these steps as the minimum that every company dealing with personal consumer information should be considering and/or employing in their operations. Your customers will appreciate it, and, in the long run, your company’s reputation may depend on it – PCI compliance requirement or not.