Six Myths of PCI DSS Compliance

A lot has been written about PCI DSS compliance in recent years. With the recent heightened attention on merchants’ payment systems, there still seems to be a large degree of confusion around.

PCI DSS: what it is, where it applies and the implications it has on contact centres.

As a contact centre specialist and PCI DSS Level One Certified Provider, we've heard it all at Eckoh. From some businesses believing PCI doesn't apply to them, to thinking that their agents can no longer take payments.

Well, we're now going to help dispel some these myths right now.

Myth One – Fix your call recording and you are compliant in the Contact Centre.

WRONG: You need to address the full scope of the PCI DSS requirements.

There are vendors claiming that just addressing call recording within the contact centre will make you compliant. They have a vested interest, but they are wrong. PCI DSS encompasses the physical contact centre environment, including CCTV, audited badge access, the agents and a "clean room" environment, numbered sheets of paper, no mobile phones, locked down internet access. And finally, let's not forget the systems themselves. Call Recording is only a small part.

Myth Two – If you encrypt the call recording, you are compliant to the PCI DSS.

WRONG: because you are storing the security digits which is direct violation of PCI DSS.

Some companies also wrongly assume that encrypted call recordings are acceptable. Wrong again. PCI DSS clearly states that it is a violation to store any sensitive authentication data, after authorisation even if encrypted.

Myth Three – Contact Centres have to stop recording.

WRONG: you just need to make the recordings compliant.

This has led to the belief that Contact Centres have to stop recording their calls. This is not the case at all. Companies just need to find a way to isolate the card information from the call itself.

Myth Four - Pause and resume is the only fail-safe way to protect recordings.

WRONG: There are better ways to prevent the card data from being recorded.

Many companies have deployed solutions to pause recordings while the customer relays the card information and then resume recording after the transaction is complete. This method is costly, difficult, and indeed in some cases, for regulatory reasons the full call must be recorded. Even if you do pause and resume, the agents themselves are also exposed to card data and there is a risk of it being written down or retained.

Myth Five – Masking numbers is enough.

WRONG: The full scope for PCI DSS applies.

One myth concerning PCI Compliance is that if an enterprise's hides all but the last four digits of a credit card number from its agent's payment screens, then their systems are PCI Compliant. Masking credit card numbers is only a small part of PCI Compliance and is agent-facing (external); the network may not be storing data internally in a compliant manner.

Myth Six - If we outsource our card processing we will be PCI DSS compliant.

WRONG: you have significantly reduced your audit scope, but it has not automatically made you compliant.

Outsourcing simplifies payment card processing but does not provide automatic compliance. Don't forget to address policies and procedures for cardholder transactions and data processing. You should request a certificate of compliance annually from providers. Also, with version 3 of the standard, the requirements for outsourcing are more stringent and you must contract with a compliant service provider.

Loading Conversation

Posted by eckoh at 10:51 AM on Sep 27, 2016


Recent Posts

Does it feel like it's panto season in your contact centre every day? If so,…


We've all watched on in horror ... as an out-of-control child creates havoc at a…


Are customers mysteriously falling out of love with your business — despite your…