De-Scoping Your Contact Centre for PCI DSS Compliance
PCI compliance is viewed as an expensive burden with concerns including disruption to daily business, budget restrictions, the complexity of the PCI DSS audit process, the potential training of staff, and so on.
Whatever merchants think about PCI DSS, it is the favoured payment security standard and will continue to be the benchmark for the industry, and more increasingly, for consumers. Most merchants are endeavouring to meet increasing customer security demands and protect their customers' data, and the related contact centres are changing their approach to how they deal with customer information. So, what methods are contact centres currently using to achieve compliance?
Creating 'clean room' environments or segregating card handlers from other personnel is generally good practice, however there are still gaps in these systems and processes. Call recordings and data collected on PCs and networks will be exposed in a PCI audit, so segmenting in isolation will not adequately address the full scale of PCI requirements.
Other systems enable agents to manually pause and resume recording using buttons on their screen or handset. These methods are used extensively but they are still open to human error. As a result, PCI DSS does not approve manual intervention. In addition, any pause and resume system leaves agents exposed to card data, increasing fraud risk.
Outsourcing to a PCI DSS Service Provider
Changing the internal processes of contact centres can in some instances be more time consuming, counterproductive and costly than choosing scenarios that may be more sustainable over a longer period of time. Owing to the complexity of the PCI DSS audit, more large contact centres are opting to outsource their requirement to VISA approved PCI DSS Level One Service Providers, so that they can continue to run their busy operation without distraction and reduce the scope of the lengthy and time consuming audit. The most popular solutions offered ask the caller to use their keypad to enter their card details, either through IVR Automation or agent assistance:
Some contact centres use an external system to transfer calls to an IVR platform at the point in a conversation when they need to take payment. The caller uses their telephone keypad to enter their card details. This solution is highly effective at removing the agent threat from the transaction, but for good customer service, many organisations prefer to keep the caller on the line while the customer is taken through the payment process.
DTMF Tone Suppression
The second solution offered by outsourced providers enables the agent to guide the caller through the payment process, but is not exposed to any card data. This works by the agent asking the caller to enter their card details manually through their telephone keypad. The agent doesn't see or hear cardholder data and the customer stays on the phone with the caller while they are processing their payment. Minimal agent intervention is needed and the system hides card entries on the agent screen and blocks the DTMF tones from being recorded. This type of solution is generally considered to be one of the most robust PCI compliant contact centre solution and is usually offered on a premised or hosted basis. Depending on which service provider you use, it tends to vary in cost, complexity of integration and PCI Certification. To what extent the system actually de-scopes your contact centre from PCI also differs. For instance, some services are geared to de-scope the entire contact centre, which makes them fairly inflexible to organisations that take a relatively small proportion of payments through their agents.
At Eckoh we know that organisations have a range of requirements, from making a small amount of agent seats compliant to removing their entire contact centre environment from PCI scope. As a result, we've developed solutions to meet every contact centre's PCI compliance need offering the widest range of contact centre solutions on the market with quick implementation schedules and competitive costs.