The PCI DSS compliance checklist for contact centers
16 Jan 2016
16 Jan 2016
Suppose your contact center handles customer transactions and sensitive card data. In that case, the Payment Card Industry Data Security Standard (PCI DSS) is most likely something you've heard of, but how prepared are you?
As a formal set of requirements and standards, PCI DSS applies to all organizations which store, process or transmit sensitive data. The standards aim to ensure retailers, credit card brands and consumers are all protected from fraud and breaches.
For contact centers taking Card Not Present ("CNP") payments (transactions made via phone, internet or mail order purchases), PCI DSS compliance is crucial.
If your company is actively non-compliant, you're at risk of suffering a data breach, monetary fines, as well as losing consumer trust. Ignoring the standard requirements could have a detrimental impact on your business, especially when CNP fraud is on the rise internationally. According to the Aite Group, CNP fraud in the US currently represents 45% of total US card fraud, and Financial Fraud Action UK reported an increase in fraud losses by 10%, totaling an estimated £331.5m in 2014.
The standards help to shape baseline requirements that help companies like yours to create a series of information security networks. Being compliant will help you to identify where your cardholder data is coming from, who has access to it and how it will be stored. Understanding how this sensitive data is transferred is fundamental in order to protect it.
Among the many risks, two of the key risk areas for data breaches, include staff access and phone/network hacking. The PCI standards are robust and comprehensive to enhance payment card data security - and consequently, reduce the risks associated.
Here is a brief PCI DSS compliance checklist of the requirements your organization must meet to become PCI DSS compliant:
This should be implemented by installing and maintaining a firewall configuration that protects cardholder data (CHD). It is advised to not use vendor-supplied defaults for system passwords or associated devices used in payment processing.
It is best not to store cardholder data. If your business requires you to do so then ensure it is thoroughly protected. Any CHD that is transmitted across open, public networks should be encrypted.
Maintain a Vulnerability Management Program
This should consist of installing anti-virus software and keeping all protection programs up to date. Develop and maintain secure systems and applications such as using security patches.
Implement Strong Access Control Measures
Restrict access to sensitive CHD on a strictly need-to-know basis. Each user should be identified with a valid ID number when accessing system components. All personnel should be restricted from physical access to CHD.
Regularly Monitor and Test Networks
Track and monitor all access to network resources, systems and CHD. Ensure that all security systems, functions and cardholder data environments are regularly tested.
Maintain an Information Security Policy
Maintain a policy that addresses information security and make sure all personnel are aware of it and are kept up-to-date.
Beyond the compliance of systems and processes, there are many secure payment services available, to eliminate the risk of internal staff having unnecessary contact with sensitive card information. To find out more about securing payment in contact centers read our eGuide to CNP Crime in Contact Centers.