× Globe

We notice that you’re on our UK site, the version that serves your region is the US Eckoh site.

Go to US site. Stay on UK site


The latest thinking from Eckoh

PCI DSS: The thrills, perils and costs of DIY compliance
Wednesday, 16 May 2018

Card payment fraud is rising — and merchants need to safeguard the way they process, store and transmit cardholder data. But should PCI DSS compliance be something you tackle on your own?

PCI DSS DIY perils 900

We live in a data-sharing, give-away culture today, from free apps to open source software. With the right tools and a few clicks, many business processes can be templated, streamlined and automated with ease. Taking the DIY approach has never been simpler.

But what about achieving compliance with the Payment Card Industry Data Security Standard (PCI DSS)? Should you look for a specialist partner to secure sensitive card information or is this something you can handle yourself?

What's the cost of going it alone?
Many businesses say ‘Yes’ to the DIY route with PCI DSS. And in a sense, anything is possible if you throw enough resources in the right direction. But how many pounds do you want to channel into compliance? And how much of your life do you want to devote to the task?

Let's start counting the cost of going DIY. But before we set off, it's important to realise that this isn't something you can tackle in a single workshop — or in isolation. In fact, you'll need the buy-in and involvement of your colleagues in IT, security, compliance/governance, HR and your contact centre for years to come. No-one can opt out, which requires support from top executives, and you won’t win any popularity contests.

PCI DSS compliance is a journey.

Step 1: Assess the risk
How do you receive payments? Over the phone, web, mobile apps and maybe chat channels too? As soon as cardholder data enters your contact centre environment, you'll be a target for criminals. So map out exactly how you process, store and transmit any sensitive data. You'll need to lock down every system it touches.

Vulnerabilities will quickly become apparent. You'll need a secure encrypted network and systems, strong access controls and stringent monitoring. The human aspect can be complex too. An armful of management policy documents and some training can help, but ultimately you need to block rogue contact centre agents at every turn. Phones, other recording devices, even paper and pens must be kept away from where calls are received. Having 'clean rooms' and using thoroughly-vetted staff only for payment-taking duties can also strengthen your defences. Of course, the cost of all this security can be shockingly high.

Step 2: Achieve compliance

Merchants and payment service providers fit into different compliance levels, depending on how many credit card transactions they handle. You'll then need to attest your PCI DSS compliance by filling in a questionnaire, submit documents and carry out any remedial action.

If you process over six million card transactions per year, then you'll require Level One PCI DSS compliance — which means you'll need a Qualified Security Assessor (QSA) to check whether you make the grade. Other organisations complete a PCI DSS Self-Assessment Questionnaire (SAQ). Ticking boxes can seem simple and relatively inexpensive, but committing to compliance puts a huge weight of responsibility on you.

Step 3: Keep going ... and going

Achieving compliance is a bit like starting a new relationship. You've raised your game and won the first date: now you have to keep the charm working — and not revert back to old habits. With PCI DSS, that means maintaining compliance every second of every day, with the threat of fines, lost business and brand damage hanging over you if things go wrong.
This is probably the toughest aspect of PCI DSS compliance. Standards can slip alarmingly fast. In fact, Verizon's 2015 PCI Compliance report found that fewer than one third of companies were found to be still fully compliant less than a year after gaining validation.

Maintaining PCI DSS compliance will place a significant cost burden on your company and could also take away valuable resources from the projects that matter most to your business performance. It can also constrain your business processes and make you less flexible and adaptable.

Where are the 'thrills' you suggested in the headline?

There's certainly a sense of satisfaction to achieving PCI DSS compliance, but this is fleeting because it needs to be kept up continually. If anything, the 'thrill' is being kept on the edge of your seat, wondering if your PCI DSS compliance will hold out for another day. It's more chill than thrill.

Help, I'm getting in too deep!

Are you on the DIY journey and you want a safer, cost-effective alternative? Download your free copy of our definitive guide to PCI DSS. You'll discover everything you wanted to know about secure payments but were too afraid to ask.

If you’re not convinced by PCI DSS compliance then read our jargon-free guide which explains the rise in CNP crime in contact centres, where you’re vulnerable and what you can do to combat the threat.

If you'd like to know more about secure payments then give us a call on 08000 630 730 or drop us an email at This email address is being protected from spambots. You need JavaScript enabled to view it.

About the Author

Tony Porter

Tony Porter

Head of Global Marketing

Tony has over 30 years’ experience in sales, marketing and business development and currently leads these activities for Eckoh in both the UK and US markets and across all sectors. Tony’s role focuses on helping contact centres to improve their customer engagement, making them convenient and secure for consumers to use. He understands the challenges organisations face around PCI DSS compliance and how to make the Omnichannel contact centre experience a satisfying reality. He is a regular speaker at events on topics such as PCI DSS, GDPR, contact centre technology, IVR solutions, self-service, secure payments, marketing and business development.

Connect with us on LinkedIn

Latest Blog Items

  • Saving Christmas from the Contact Centre of Doom

    Tuesday, 10 December 2019 Saving Christmas from the Contact Centre of Doom

    Dramatic news, just in from the North Pole: Christmas is under threat — from the Contact Centre of Doom. So what can be done? We sent our reporter, Holly Frost, to find out ...
  • Twist or stick? It’s your choice

    Friday, 06 December 2019 Twist or stick? It’s your choice

    Almost every business has legacy technology. It makes perfect sense to extending its life. But it can be a burden managing legacy systems that require specialist knowledge that may not be available from your original vendor or in your organisation.
  • Challenge #3: Despite self-service your customers still call

    Tuesday, 03 December 2019 Challenge #3: Despite self-service your customers still call

    Despite offering great self-service tools to your customers, are your agents are still handling too many calls? If customers are stuck in their old habits, they need a nudge.

Tweets by @Eckoh

Eckoh (@Eckoh)

Eckoh (@Eckoh)

Find out how ineffective contact centre technology can hinder performance. But, with the right solutions #contactcentres can deliver a great customer experience - and, not just for Christmas. For more information read the Eckoh Christmas blog bit.ly/2YOQ14z
Eckoh (@Eckoh)

Eckoh (@Eckoh)

How can you achieve a strong ROI from your self-service tools if some customers still prefer to call up anyway? Well, for speed, choice and control it’s got to be Visual IVR. For more information read the latest blog to find out why. bit.ly/2si36Hl #selfservice
Eckoh (@Eckoh)

Eckoh (@Eckoh)

Eckoh’s Knowledge Base can also provide contact centre agents with consistent and correct information to relay to customers when they are uncertain of an answer – improving customer service and efficiency. bit.ly/2Ek8VHv #contactcentres #customerservice

  • icon facebook
  • icon twitter
  • icon linkedin
  • icon youtube