Help with PCI DSS

Why is PCI DSS compliance so important in Contact Centres — and what are the implications for your organisation?

Why Should We Comply with PCI DSS?

Are you confused by PCI DSS or concerned about the considerable investment and resources that compliance demands? If so, you're not alone. For any merchant, becoming compliant with PCI DSS (Payment Card Industry Data Security Standards) can seem like a huge challenge.

The majority of contact centres handling customer data, including payment card information, must now take steps to prevent this data from getting into the wrong hands.

PCI DSS compliance is not just about securing your systems and encrypting your data. In many ways, those are the easy parts. Where your systems and data come into contact with humans is the real weak point. In a complex operational environment, where hundreds of people might be coming and going every day, watertight security procedures are absolutely essential.

More about: PCI Security Standards Council

PCI Compliance: Now Within Easy Reach of Every Enterprises

PCI DSS compliance violations can be catastrophic to an organisation. The resulting fines levied by the card schemes can be substantial.

The good news is that Eckoh has made PCI DSS compliance easier and cost-effective. We also offer the widest range of PCI DSS compliant contact centre solutions.

PCI DSS: What Will it Mean for Me?

PCI DSS compliance is increasingly important and brings major challenges and benefits to organisations of all types.

Trust with Card Data

Compliance with the PCI DSS means that your systems are secure and customers can trust you with their sensitive payment card information. Your customers will also have confidence in doing business with you. They are more likely to become repeat customers and recommend you to others.

Reputation for Security

Compliance improves your reputation with acquirers and pay­ment brands — the partners you need for business. Customers will increasingly make purchasing decisions based around the security of their card details. Merchants that provide peace of mind will earn a reputation of trust and security.

Compliance and Security

As data compromise becomes ever more sophisticated, it becomes difficult for merchants to stay ahead of each threat.

Becoming PCI DSS compliant is an ongoing process to prevent future security breaches and theft of payment card data.

PCI DSS Non-Compliance can be Devastating

PCI DSS compliance violations can be catastrophic to an organisation — and followed by substantial fines levied by the card schemes. Card or monthly fines can be enforced and ultimately card processing facilities can be suspended or stopped.

A full investigation by a Qualified Forensic Investigator will be carried out if cardholder data is compromised. Failing to meet just one requirement of the PCI DSS, regardless of whether it contributed to the security breach, is deemed 'non-compliant, with no protection against card scheme fines'.

Securing Payments

PCI DSS compliance is not a legal obligation, but the threat of fines for non-compliance or the high costs if breaches occur are firm drivers for organisations to invest in reviewing processes:

  • Average cost per compromised record is £133
  • Average cost of a breach event is £4.5 million
  • Non-compliance cost is an average of 2.65 times the cost of compliance
  • Companies can also experience business disruption, reduced productivity, fees, penalties, other legal and non-legal settlement costs

Why is PCI DSS So Important in Contact Centres?

PCI DSS directly impacts contact centres where agents are asked to process cardholder data over the telephone. All locations, systems and processes are then in scope, from the contact centre environment itself with Requirement 9 on physical access control and Requirement 10 on monitoring and logging; through the agent recruitment process to the data systems, voice systems and call recording.

PCI DSS compliance is not just limited to securing call recordings. The full journey of cardholder data within the contact centre must be mapped and secured. This includes voice systems, data systems and human touch-points. The scope of the audit is extensive and can require either an external auditor or dedicated internal resource to spend a number of months analysing and evaluating the environment and internal processes, to determine compliance without a guarantee of ongoing security. The aim of PCI DSS is to protect consumers' payment card data from being shared/accessed and used illegally once a transaction has been made or processed. With the majority of contact centres handling personal customer data, including payment card information, there was a growing concern that merchants were not taking necessary steps to prevent this data from getting into the wrong hands.

The PCI Security Standards Council offers robust and comprehensive standards to enhance payment card data security that merchants must now comply with. Compliance monitoring comes in the form of an annual audit that concentrates on three main areas:

PCI DSS Compliance Monitoring

The PCI Security Standards Council offers robust and comprehensive standards to enhance payment card data security that merchants must now comply with. Compliance monitoring comes in the form of an annual audit that concentrates on three main areas:

Data Collection and Storage Processes

The secure collection and tamper-proof storage of log data so that it is available for analysis.

Reporting Data Protection Processes

The ability to prove compliance in the event of an audit. Evidence that data protection controls are in place is also required.

Monitoring and Alerting Use of Data

Involves implementing systems that enable administrators to monitor access and use of data. Evidence that log data is being collected and stored is also required.

PCI DSS Merchant Levels

Acquiring banks must ensure that all merchants and service providers are compliant with the PCI DSS requirements. However, compliance validation has been prioritised based on the volume of transactions, the potential risk and exposure introduced into the payment system.

Merchant levels are defined based on the volume of annual transactions.

  • Level 1 - Processing over 6 million transactions annually
  • Level 2 - Processing 1 to 6 million transactions annually
  • Level 3 - Processing 20,000 to 1 million transactions annually
  • Level 4 - Processing less than 20,000 transactions annually and other merchants processing up to 1 million transactions annually.

In addition to the annual audit by a Qualified Security Assessor (QSA) or Self Assessment Questionnaire, organisations must also have a quarterly network scan by an Approved Scan Vendor and an attestation of Compliance Form.

12 PCI DSS Requirements

While all 12 requirements of PCI DSS have some relevancy to contact centres and their systems, the most significant requirements are:

  • Requirement 3: Protect stored cardholder data
  • Requirement 7: Restrict access to cardholder data by business need to know
  • Requirement 12: Maintain a policy that addresses information security

The finance and resource needed to implement the system processes needed to become PCI DSS compliant obviously increases with the business size. This may account for why organisations housing contact centres of 500+ agents are struggling to become compliant.

Read more about our PCI DSS services:

Reduce Your Audit Scope with Eckoh

Eckoh is a PCI DSS Level 1 Service Provider. By outsourcing your PCI DSS requirement to us, we effectively and safely take on the risk of your payment processing and reduce your audit scope.

PCI DSS Compliance is normally a painstaking task that takes months to complete. For example, an organisation that needs to address SAQ D would have to meet over 233 detailed requirements. More simply, by outsourcing your payments requirement to Eckoh, you may only need to complete the PCI DSS Self Assessment Questionnaire (SAQ) A. In comparison, it only contains 13 'yes' or 'no' questions. So much simpler!

Compliance Failure is NOT an Option

Non-compliance can spell disaster for your business. Not because you failed the audit, but because of what it means to your customers. Compromised data negatively affects consumers, merchants and financial institutions. Just one incident can severely damage your reputation, your credibility and your ability to conduct business effectively — far into the future.

Account data breaches can lead to catastrophic loss of sales, relationships and good-standing in your community. Costs can also escalate — not just from the fines received from regulators, but additional costs incurred from remediation, customer credit checks, legal costs, etc.

Discover How We Enable Agent Assisted Payments