Contact Centers
Operations
Voice
3 Ways to Achieve and Maintain PCI DSS Compliance
Natterbox Team
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements that are designed to protect sensitive cardholder data wherever it is stored, processed or transmitted. These requirements apply to any organization that handles card payments in any capacity. If you work for a company who takes card payments from customers, you are responsible for keeping that data as safe and secure as possible – not just to protect your customers, but to protect your business as well.
How To Make Your Contact Center Compliant
PCI DSS compliance is about more than just securing your systems and encrypting your data. In many ways, those are the easy parts. Where those systems and data come into contact with humans is the weak point. In a complex operational environment, where hundreds of people might be coming and going every day, proper security procedures are absolutely essential.
One of the easiest ways to simplify compliance is to focus on 3 key areas.
- Secure the Network Environment
Companies who store sensitive cardholder information have an obligation to secure their network with robust firewalls and strict security controls. You’ll therefore want to work with a reputable ISP and telephony company which has a strong and resilient infrastructure to minimise the chances of external attack.
Internally, companies must protect their data against threats from malicious parties using antivirus software, anti-spyware programs, and other malware protection solutions. This helps to protect your own network and infrastructure from intrusions and can also be used to prevent data leakage, a major source of data loss. It goes without saying that any data that is held must be encrypted whether it be held on site or in the cloud.
- People are Often the Weakest Link
One of the biggest issues you will face in making your call center PCI compliant is managing the people involved. The more you can limit the number of agents that are exposed to sensitive data and reduce the amount of data they can see, the safer your data will be. The best way to do this is to make sure that your staff are only given access to the information they need to do their job, maybe even go as far as banning your agents who handle card payments from using their mobile phones. You can also reduce the chance of sensitive information being leaked from your contact center via text, phone call or picture message.
Organizations that fail to comply to the PCI DSS standard could face a range of penalties by payment providers, including fines, increased transaction fees or even the termination of the relationship altogether.
Source: PCI Compliance Guide
- Better Still – Adopt Innovative Technology
The evolution of how we pay for goods and services has been the driving force behind emerging technology to help improve PCI compliance and make it easier. Remember that PCI compliance is merely a standard and that over time organizations can become complacent or simply fall down by not keeping up with the latest technology.
For customers reading out sensitive card details on the phone, pause and resume call-recording isn’t enough to be compliant. You still have to rely on your agents to stop the recording, important information from the customer might be missed, and even then your agents are exposed to the card details that could be used for malicious purposes.
DMTF, (Dual Tone Multi-Frequency), or in simple terms using a keypad to enter digits whilst disguising the inputs from the agent on the other side of the call, is a great way to increase compliance. However, you need to be cautious as not all solutions are created equal.
The best way forward is to adopt a solution that’s proven, such as Natterbox PCI Payments. Partnering with industry leaders PCI Pal means that you and your customers can be assured that data is safe during the payment transaction. In fact, due to the way it works, sensitive card details will never be seen, heard or stored on your systems, it’s channelled directly to the payment processor through a secure connection, minimizing any risk of data loss. Best of all, all of this can be achieved within the Salesforce CRM environment, avoiding the need for multiple systems and potential weak security points.
Regular Review is Critical
PCI DSS is a standard which you should aim to not only achieve on the day of compliance testing but every day and every week that goes by after that.
Due to the development of ongoing and emerging threats, it’s critical to keep your systems and processes under constant review. Over time new threats may emerge, new technology may further enhance security or you might even experience an unexpected breach. By working closely with your IT, payment processing, CRM system and telephony providers, you’ll always ensure you have the most up to date security in place to protect not only your customers data but your reputation too.