× Globe

We notice that you’re on our UK site, the version that serves your region is the US Eckoh site.

Go to US site. Stay on UK site

Important COVID-19 update Read More


The latest thinking from Eckoh

PCI DSS: The thrills, perils and costs of DIY compliance
Wednesday, 16 May 2018

Card payment fraud is rising — and merchants need to safeguard the way they process, store and transmit cardholder data. But should PCI DSS compliance be something you tackle on your own?

PCI DSS DIY perils 900

We live in a data-sharing, give-away culture today, from free apps to open source software. With the right tools and a few clicks, many business processes can be templated, streamlined and automated with ease. Taking the DIY approach has never been simpler.

But what about achieving compliance with the Payment Card Industry Data Security Standard (PCI DSS)? Should you look for a specialist partner to secure sensitive card information or is this something you can handle yourself?

What's the cost of going it alone?
Many businesses say ‘Yes’ to the DIY route with PCI DSS. And in a sense, anything is possible if you throw enough resources in the right direction. But how many pounds do you want to channel into compliance? And how much of your life do you want to devote to the task?

Let's start counting the cost of going DIY. But before we set off, it's important to realise that this isn't something you can tackle in a single workshop — or in isolation. In fact, you'll need the buy-in and involvement of your colleagues in IT, security, compliance/governance, HR and your contact centre for years to come. No-one can opt out, which requires support from top executives, and you won’t win any popularity contests.

PCI DSS compliance is a journey.

Step 1: Assess the risk
How do you receive payments? Over the phone, web, mobile apps and maybe chat channels too? As soon as cardholder data enters your contact centre environment, you'll be a target for criminals. So map out exactly how you process, store and transmit any sensitive data. You'll need to lock down every system it touches.

Vulnerabilities will quickly become apparent. You'll need a secure encrypted network and systems, strong access controls and stringent monitoring. The human aspect can be complex too. An armful of management policy documents and some training can help, but ultimately you need to block rogue contact centre agents at every turn. Phones, other recording devices, even paper and pens must be kept away from where calls are received. Having 'clean rooms' and using thoroughly-vetted staff only for payment-taking duties can also strengthen your defences. Of course, the cost of all this security can be shockingly high.

Step 2: Achieve compliance

Merchants and payment service providers fit into different compliance levels, depending on how many credit card transactions they handle. You'll then need to attest your PCI DSS compliance by filling in a questionnaire, submit documents and carry out any remedial action.

If you process over six million card transactions per year, then you'll require Level One PCI DSS compliance — which means you'll need a Qualified Security Assessor (QSA) to check whether you make the grade. Other organisations complete a PCI DSS Self-Assessment Questionnaire (SAQ). Ticking boxes can seem simple and relatively inexpensive, but committing to compliance puts a huge weight of responsibility on you.

Step 3: Keep going ... and going

Achieving compliance is a bit like starting a new relationship. You've raised your game and won the first date: now you have to keep the charm working — and not revert back to old habits. With PCI DSS, that means maintaining compliance every second of every day, with the threat of fines, lost business and brand damage hanging over you if things go wrong.
This is probably the toughest aspect of PCI DSS compliance. Standards can slip alarmingly fast. In fact, Verizon's 2015 PCI Compliance report found that fewer than one third of companies were found to be still fully compliant less than a year after gaining validation.

Maintaining PCI DSS compliance will place a significant cost burden on your company and could also take away valuable resources from the projects that matter most to your business performance. It can also constrain your business processes and make you less flexible and adaptable.

Where are the 'thrills' you suggested in the headline?

There's certainly a sense of satisfaction to achieving PCI DSS compliance, but this is fleeting because it needs to be kept up continually. If anything, the 'thrill' is being kept on the edge of your seat, wondering if your PCI DSS compliance will hold out for another day. It's more chill than thrill.

Help, I'm getting in too deep!

Are you on the DIY journey and you want a safer, cost-effective alternative? Download your free copy of our definitive guide to PCI DSS. You'll discover everything you wanted to know about secure payments but were too afraid to ask.

If you’re not convinced by PCI DSS compliance then read our jargon-free guide which explains the rise in CNP crime in contact centres, where you’re vulnerable and what you can do to combat the threat.

If you'd like to know more about secure payments then get in touch.

About the Author

Tony Porter

Tony Porter

Head of Global Marketing

Tony has over 30 years’ experience in sales, marketing and business development and currently leads these activities for Eckoh in both the UK and US markets and across all sectors. Tony’s role focuses on helping contact centres to improve their customer engagement, making them convenient and secure for consumers to use. He understands the challenges organisations face around PCI DSS compliance and how to make the Omnichannel contact centre experience a satisfying reality. He is a regular speaker at events on topics such as PCI DSS, GDPR, contact centre technology, IVR solutions, self-service, secure payments, marketing and business development.

Connect with us on LinkedIn

Latest Blog Items

Tweets by @Eckoh

Eckoh (@Eckoh)

Eckoh (@Eckoh)

Planning to retain some of your home working agents when your contact centre moves back to the office? bit.ly/30sDSEU #securepayments #ContactCenter
Eckoh (@Eckoh)

Eckoh (@Eckoh)

Find out the critical next steps to ensuring security for your remote workers involving your people, processes and technology. #contactcentres #securepayments #eckoh bit.ly/2D7QLLx
Eckoh (@Eckoh)

Eckoh (@Eckoh)

Eckoh had an excellent performance in the year, with double digit revenue and profit growth as well as record order levels for a second year running. #contactcentres #paymentsecurity bit.ly/30NSO0U

  • icon facebook
  • icon twitter
  • icon linkedin
  • icon youtube