Posted inPCI DSS compliance
Are you worried that storing customer card data will make you a target for criminals? If so, you're not alone. Most merchants feel the same way. But there is an answer.
Most of us would feel on-edge if we walked around with £50,000 in crisp banknotes stuffed into our pockets. So it's no surprise that the majority of merchants feel the same about the precious customer card data they're holding onto in their contact centres — especially as it places them within scope for PCI DSS compliance.
Recent research from American Express shows that 55% of merchants store customer profiles and card payment details for future purchases — and another 22% plan to do the same in the next 12 months*. However, 73% of merchants feel that storing customer credit cards on file is a security concern for their business. And 76% would prefer not to store customer credit card details at all. Some are bothered about the costs involved too.
But it seems that the need to offer simple payment options and deliver great customer experiences — to stay competitive — may have pushed merchants into this uncomfortable position. So what's the answer?
Where is card data hiding?
Before looking at solutions, it's worth exploring where customer card details are stored within a typical contact centre. It can be unnerving to discover where pockets of precious data end up:
- PBX-telephony systems: If you take payments over the phone, then sensitive details could be found here.
- Databases: These are an obvious location for sensitive data. But how good is your security around them?
- Applications/CRM: Card details could be found alongside your customers' account profiles.
- Call recordings: Calls are often recorded for training or legal purposes. But recordings can inadvertently contain card numbers spoken aloud by customers or entered using audible DTMF keypad tones that can be deciphered back into numbers.
- Contact Centre Agents: It's not unknown for agents to scribble down people's numbers or cut-and-paste details from one screen to another because of system issues. It's an area of vulnerability even if agents don't have fraud in mind (though this can be a motive).
PCI DSS non compliance isn't an option
Any merchant that wants to process, store or transmit credit card data needs to be compliant with PCI DSS industry standards. Navigating PCI DSS involves checking PCI merchant levels, investigating the best way to provide PCI DSS compliant payments and completing a PCI assessment.
But attempting to handle each of these areas yourself using an array of PCI DSS compliant solutions can be complex, costly, time-consuming — and never totally secure. Think about new equipment, integration, patching, training and trying to enforce strict policies. Even then, you're still vulnerable to human error, mischief-making or insider fraud
You'll still be a target too — for criminals that are getting increasingly sophisticated in their modes of attack. So what's the alternative to trying to sort your own contact centre compliance?
Lifting the burden from your business
Rolling back on customer convenience isn't the way to go. But it's possible to overcome the data security risks by using a solution that prevents data entering your systems in the first place – such as Eckoh CallGuard or ChatGuard.
For customers, the process is ultra smooth. They still speak or chat to your agents, use your familiar apps and your website as normal. What's more, with a PCI Level 1 partner such as Eckoh, you can add extra payment methods securely — such as e-Wallet payments, Chat Payments or IVR payments.
Behind the scenes, CallGuard prevents any sensitive data from entering your contact centre systems. Instead, data passes through Eckoh’s secure platform to the Payment Service Provider (PSP) and transaction success is confirmed by return.
Inside your contact centre, the data is masked by Eckoh’s patented tokenisation technology which makes sure that the real card data is not exposed to your agents or systems.
So your entire contact centre environment is shielded from any trace of sensitive data. This means that even if criminals managed to get around your security, infiltrate your workforce or obtain information from systems — there's nothing sensitive to steal.
Entirely de-scoping your contact centre means that customer service directors, contact centre managers, chief security officers and heads of compliance can breathe a sigh of relief. While they cannot pass on the whole burden of PCI DSS compliance, it can ease the load, risk and the worry.
Call centre compliance made easy
De-scoping your contact centre can be quick and relatively pain-free. It doesn't require the wholesale removal of your technology, expensive investment, painful integration and months of disruption impacting staff and customers.
With a cloud-based platform, such as the Eckoh Experience Portal, you can quickly access all the engagement channels and payment solutions you need to truly transform customer engagement and protect customer data as well as achieving, and maintaining, PCI DSS compliance. Take a look at our guide on ‘PCI DSS: De-scoping your contact centre’ which explores these issues or get in touch for more information.
*American Express Insights 2019 Digital Payments Survey
Latest Blog Items
Tuesday, 24 March 2020 Challenge #7: Saving customers from IVR maze miseryAre customers calling your contact centre, navigating your IVR and ending up in the wrong place? If so, there's a fast way to solve the problem painlessly.
Monday, 23 March 2020 Can compliance be a catalyst for transformation?In our latest webinar, Ashley Burton, Eckoh’s Head of Product, interprets the theme of ‘time to think bigger’ from a customer perspective and asks the question ‘can compliance be a catalyst for transformation?
Wednesday, 18 March 2020 How to make remote working secureConsidering enabling your agents to work remotely? If so, you’re probably most concerned with being able to maintain PCI DSS compliance and security.