Seven questions to ask when outsourcing your contact centre payments

If you take contact centre payments, you will most likely be looking for ways to protect your customers’ data and achieving PCI compliance.

The PCI DSS audit process is an ongoing, compulsory process, which is often regarded as complex and expensive to implement, not to mention time-consuming. Due to some of these factors, finding a solution to securing contact centre payments often results in merchants outsourcing the entire payment process.

BPOs (Business Process Outsourcers) represent a competitive and mature market of companies who offer contact centre services (including payments). With plenty of solution providers for you to choose from, what PCI and security-related questions should you be asking when looking for a BPO to act on your behalf?

1. Do they have an Attestation of Compliance?

An Attestation of Compliance (AOC), is a document completed by the company and/or their Qualified Security Assessor (QSA) to attest to PCI Compliance.

Why? This is the minimum level of documentation you should expect from a BPO. The AOC is a formal PCI document, which is more detailed and informative than a compliance certificate (sometimes issued by QSAs, and not a formal PCI document) on its own.

2. Are they able to provide you with an Executive Summary of their Report on Compliance?

A Report on Compliance (ROC), is a formal document completed by a QSA to attest to PCI DSS compliance once the PCI Council has approved the AOC.

Why? The full ROC is a sensitive document, containing information of the exact IT infrastructure of the company e.g. server names, firewall details, intrusion detection systems, anti-virus applications used, etc. If a prospective BPO were to provide you with their full ROC, it would represent a security threat; hackers could use these details to attack the BPO.
So, instead of a full Report on Compliance, you should push to see an Executive Summary, which lists the sites and processes which were assessed for PCI compliance. This is often produced under a non-disclosure agreement.

3. Do they appear on the Visa Merchant Agent list as a Service Provider?

Visa Inc and Visa Europe operate separate lists of Service Providers. These show Service Providers which have passed Visa's financial requirements and have been assessed by a QSA.
Visa Europe:
Visa Inc:

Why? If you wish to reduce your own PCI DSS scope, then it is mandatory under PCI DSS v3.0 to use a validated Service Provider when outsourcing work to contact centres. If they are not validated, your own PCI DSS scope simply expands to the BPO itself and you do not gain any scoping benefit.

4. What technology are they using to ensure card data is not stored in their call recordings?

When card data is not stored in call recordings, it removes the threat of access to sensitive data and therefore a damaging data breach.

Why? Some of the methods to remove card data from the process are considered less secure than others, due to inherent dangers in their methodologies. Some methods include:

- No call recording in use. (Perfect: no card data stored).
- Card data is stored, but it is encrypted. Make sure 3-digit security checksum 'CV2' value is not stored, as this is disallowed under PCI DSS.
- DTMF masking/blocking (e.g.CallGuard) (Keeps agents away from card data too).
- Transfer to unrecorded IVR for automated payment (e.g.EckohPAY). (Helps improve efficiency also).
- Automated or manual pause and resume (we consider pause and resume the least secure, and in some cases forbidden by PCI DSS).

5. When taking payments, do their agents see or hear card data?

You should be looking for a 'no' to that, on both counts.

Why? It is ideal that contact centre agents are not able to see or hear the card data, as otherwise internal data breaches are a real possibility. Outsourcing to a BPO means having no control over the contact centre agent screening, which is why you definitely do not want agents hearing or seeing your customers' sensitive card data.

6. Are they prepared to define exactly which PCI DSS requirements they are handling on your behalf?

Part of the BPO's job is to take some of your PCI DSS requirements away. So both parties should be very clear about who's doing what.

Why? Under PCI DSS v3.0, your QSA needs to know where each party's responsibilities lie. Any BPO which takes PCI seriously will have already prepared a list or matrix of their PCI competencies and obligations, and will engage in a sensible discussion with you about the elements remaining for you to fulfil, or to share with the BPO.

7. Will they accept liability for any data breaches?

Costs resulting from card data breaches can be very high indeed. These can include fines from regulators and card schemes, additional costs including remediation, customer credit checks and legal costs, and forensic investigations.

Why? If the BPO is fulfilling orders for you, they are processing card payments on your behalf. They should be confident in their ability to absorb fines and penalties if they are taking on this role. If they're not, you need to question why.

Loading Conversation

Posted by eckoh at 9:12 AM on Nov 4, 2015


Recent Posts

Does it feel like it's panto season in your contact centre every day? If so,…


We've all watched on in horror ... as an out-of-control child creates havoc at a…


Are customers mysteriously falling out of love with your business — despite your…