9 things that bug you about PCI DSS compliance
19 Jun 2020
19 Jun 2020
Compliance with the Payment Card Industry Data Security Standard (PCI DSS) helps companies to demonstrate they can process card payments securely and reduce card fraud.
But the road to compliance can be fraught with wrong turns, unexpected risks and confusing myths. Even if your contact or call center is PCI DSS compliant, you are still at serious risk of a breach. So, what hazards lie ahead and how can they best be avoided?
#1: Compliance doesn't equal security
There's a false sense of security that if you're PCI DSS compliant, your contact center isn't at risk. Using multiple solutions can still lead to fraud. For example, pause and resume still allows your agents to see and hear card information, and isn't always reliable. Also, clean rooms require calls to be transferred, resulting in a poor customer experience. Both are technically compliant but are not completely secure.
#2: PCI DSS is a moving target
There's no guarantee that today's solutions will work in the future. PCI compliance regulations will just keep changing and security auditors will find new gaps and vulnerabilities, which means you'll have to keep changing too. Also, even if you are compliant, you may still be at risk of a breach.
#3 You're wasting time and money trying to keep up with PCI DSS regulations
You need to protect your company's brand value, keep your customers' personal data safe and secure card data in your contact or call center. That's a tall order. But with every regulation change, you have to constantly change processes, implement new technology, maintain those solutions and spend time training agents. The operational costs can get out of control.
#4 Contact center crime is a growing issue.
As online and point-of-sale transactions get more secure, criminals are now targeting the contact center. According to a 2018 study, Card-Not-Present fraud is now 81% more likely than point-of-sale fraud.  If credit card data is entering the contact center environment at all, where agents can see of hear it, or if it's being stored in your systems, it's at risk of being stolen.
#5 Pause and resume and other Band-Aid(R) type fixes are not the answer.
Manual interventions are simply not reliable enough. Agents can still see and hear card details. Interrupting the call by transferring to an IVR system or clean room environment is a less than ideal customer experience and these solutions have less that stellar success rates.
The average company uses 3 different solutions to maintain PCI DSS compliance, which is costly and time-consuming.
#6 Your PCI DSS solution is inhibiting your contact center technology progress.
Once your contact or call center environment - IVR system, switch, payment service provider or network - are embedded into your compliance process, it becomes problematic to change them when new regulations are introduced. You have to redo the plumbing and wiring again at great expense in terms of time and money.
#7 The cost of cyber insurance is climbing
In order to get lower premiums, you need to protect customer data to the greatest degree possible. Many solutions leave you more exposed to increased premiums. A 2020 IBM-Ponemon Institute survey found that the average cost of a data breach in the US is $8.64 million.
#8 PCI DSS challenges prohibit you from benefiting from Work-at-Home agents
There are many advantages to having remote agents, especially in the current circumstances, but a multi-solution approach to PCI DSS compliance creates security and training challenges that are difficult to overcome, leaving fewer choices and less flexibility in staffing your contact center.
#9 Poor customer payment practices can lead to lower CSAT/NPS scores.
Customers expect their financial information will be kept safe and secure. Requiring customers to read data aloud over the phone is a risk and can lead to higher levels of dissatisfaction. Customers want to pay in their channel of choice. Shifting them to another channel such as a payment IVR or clean room environment can be very frustrating.
There is a better way, CallGuard from Eckoh which significantly reduces your risk of fraud and streamlines your compliance process with one simple solution.
 2018 Identity Fraud Study, Javelin Strategy & Research