Posted inPCI DSS compliance
Card payment fraud is rising — and merchants need to safeguard the way they process, store and transmit cardholder data. But should PCI DSS compliance be something you tackle on your own?
We live in a data-sharing, give-away culture today, from free apps to open source software. With the right tools and a few clicks, many business processes can be templated, streamlined and automated with ease. Taking the DIY approach has never been simpler.
But what about achieving compliance with the Payment Card Industry Data Security Standard (PCI DSS)? Should you look for a specialist partner to secure sensitive card information or is this something you can handle yourself?
What's the cost of going it alone?
Many businesses say ‘Yes’ to the DIY route with PCI DSS. And in a sense, anything is possible if you throw enough resources in the right direction. But how many pounds do you want to channel into compliance? And how much of your life do you want to devote to the task?
Let's start counting the cost of going DIY. But before we set off, it's important to realise that this isn't something you can tackle in a single workshop — or in isolation. In fact, you'll need the buy-in and involvement of your colleagues in IT, security, compliance/governance, HR and your contact centre for years to come. No-one can opt out, which requires support from top executives, and you won’t win any popularity contests.
PCI DSS compliance is a journey.
Step 1: Assess the risk
How do you receive payments? Over the phone, web, mobile apps and maybe chat channels too? As soon as cardholder data enters your contact centre environment, you'll be a target for criminals. So map out exactly how you process, store and transmit any sensitive data. You'll need to lock down every system it touches.
Vulnerabilities will quickly become apparent. You'll need a secure encrypted network and systems, strong access controls and stringent monitoring. The human aspect can be complex too. An armful of management policy documents and some training can help, but ultimately you need to block rogue contact centre agents at every turn. Phones, other recording devices, even paper and pens must be kept away from where calls are received. Having 'clean rooms' and using thoroughly-vetted staff only for payment-taking duties can also strengthen your defences. Of course, the cost of all this security can be shockingly high.
Step 2: Achieve compliance
Merchants and payment service providers fit into different compliance levels, depending on how many credit card transactions they handle. You'll then need to attest your PCI DSS compliance by filling in a questionnaire, submit documents and carry out any remedial action.
If you process over six million card transactions per year, then you'll require Level One PCI DSS compliance — which means you'll need a Qualified Security Assessor (QSA) to check whether you make the grade. Other organisations complete a PCI DSS Self-Assessment Questionnaire (SAQ). Ticking boxes can seem simple and relatively inexpensive, but committing to compliance puts a huge weight of responsibility on you.
Step 3: Keep going ... and going
Achieving compliance is a bit like starting a new relationship. You've raised your game and won the first date: now you have to keep the charm working — and not revert back to old habits. With PCI DSS, that means maintaining compliance every second of every day, with the threat of fines, lost business and brand damage hanging over you if things go wrong.
This is probably the toughest aspect of PCI DSS compliance. Standards can slip alarmingly fast. In fact, Verizon's 2015 PCI Compliance report found that fewer than one third of companies were found to be still fully compliant less than a year after gaining validation.
Maintaining PCI DSS compliance will place a significant cost burden on your company and could also take away valuable resources from the projects that matter most to your business performance. It can also constrain your business processes and make you less flexible and adaptable.
Where are the 'thrills' you suggested in the headline?
There's certainly a sense of satisfaction to achieving PCI DSS compliance, but this is fleeting because it needs to be kept up continually. If anything, the 'thrill' is being kept on the edge of your seat, wondering if your PCI DSS compliance will hold out for another day. It's more chill than thrill.
Help, I'm getting in too deep!
Are you on the DIY journey and you want a safer, cost-effective alternative? Download your free copy of our definitive guide to PCI DSS. You'll discover everything you wanted to know about secure payments but were too afraid to ask.
If you’re not convinced by PCI DSS compliance then read our jargon-free guide which explains the rise in CNP crime in contact centres, where you’re vulnerable and what you can do to combat the threat.
Latest Blog Items
Tuesday, 10 December 2019 Saving Christmas from the Contact Centre of DoomDramatic news, just in from the North Pole: Christmas is under threat — from the Contact Centre of Doom. So what can be done? We sent our reporter, Holly Frost, to find out ...
Friday, 06 December 2019 Twist or stick? It’s your choiceAlmost every business has legacy technology. It makes perfect sense to extending its life. But it can be a burden managing legacy systems that require specialist knowledge that may not be available from your original vendor or in your organisation.
Tuesday, 03 December 2019 Challenge #3: Despite self-service your customers still callDespite offering great self-service tools to your customers, are your agents are still handling too many calls? If customers are stuck in their old habits, they need a nudge.