Four Ways to Achieve PCI DSS Compliance in the Customer Contact Centre

The theft of cardholder details is a huge problem for merchants and card brands – especially when it comes to transactions where the customer is not present.
Verizon estimates that between 2005 and 2010 more than a billion records were stolen in data breach incidents, with payment card data being the target of theft in 48 per cent of all breaches in 2011 alone. This ever-present threat of fraud makes additional security at the point of payment essential.
Cardholder data theft takes many forms:

  • Customers can be overheard as they give payment details over the phone
  • Staff members from companies taking payments may access and store card details illegally
  • External parties may capture customers’ information by intercepting telephone calls or gaining access to unsecure networks

What is PCI DSS?
The Payment Card Industry Data Security Standards (PCI DSS) is an internationally recognised set of technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data.
The PCI DSS follow common-sense steps that mirror security best practices:
Assess - identify cardholder data, take an inventory of IT assets and business processes for payment card processing, and analyse them for vulnerabilities that could expose cardholder data.
Remediate - fix vulnerabilities and do not store cardholder data unless absolutely necessary.
Report - compile and submit required remediation validation records (if applicable), and submit compliance reports to acquiring bank and card providers.
The PCI DSS apply to any organisation that stores, processes or transmits sensitive cardholder data.
Merchants that fail to comply with the PCI DSS run the serious risk of costly fines, damaged customer relationships and bad PR. Penalties can include: losing the ability to process payments and fines of up to £100,000.
How does an organisation become PCI compliant?
To become PCI DSS compliant, organisations must adhere to requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. They must also ensure that customers’ payment card data is kept safe throughout every transaction.
There are many PCI DSS compliant technology solutions on the market today that reduce the risk of unauthorised access to, and subsequent use of customers’ information. But not all solutions are the same.
By implementing a PCI solution, organisations can remove their contact centre advisors from the scope of PCI DSS.
Advisor-assisted PCI solutions allow advisors to collect customer payment information without ever seeing or hearing the card details. However, they are able to remain on the phone and assist customers throughout the payment process, minimising confusion and the chance of customers ending calls before their transactions are complete.
Advisors simply prompt customers when each piece of information is required, with customers using their telephone keypad to type in card details. The tones generated by the phone are then collected, bypassing the recording and advisor into the PCI application and payment gateway. All calls can be recorded as normal to ensure that, if applicable, FSA regulations are met.
Fully automated PCI solutions (i.e. non advisor-assisted) are also available (see option 3 below).
PCI solutions completely prevent any possibility of fraud, whether advisors are working in a contact centre, or remotely. They allow organisations to promote complete payment security, instilling customer confidence and readiness to transact and makes PCI compliance simple but thorough for any business.
How does a PCI solution work?
STEP 1: At the point of payment, advisor opens payment screen.
STEP 2: Advisor guides customer through payment, requesting each piece of information when needed.
STEP 3: System collects card details.
STEP 4: Captured details are sent to acquiring bank.
STEP 5: Advisor receives payment confirmation and authorisation code for customer.
STEP 6: Payment is made to beneficiary.
How can a PCI solution be deployed?
There are broadly four options for handling card payments over the phone using Cloud or premise-based PCI compliant technology solutions. Other PCI technology options, notably desktop-based PCI solutions, are not discussed in this White Paper.
Option 1: PCI Cloud Delivery
Delivered using an open standards-based platform, platform, PCI Cloud-based services easily integrate to existing in-house contact centre systems or Cloud-based services.
Option 2: PCI Premise-based Delivery
This advisor-assisted solution provides PCI DSS compliance via an on-site hardware/software solution, placed in front of the client’s PBX. It should be noted that this solution does not remove advisors’ machines from PCI scope. Companies still need to demonstrate that they have policies around antivirus and anti malware and that they have security devices on site - and that these are kept up-to-date. It also means the client’s premises must be periodically audited (depending on the volume of transactions) by a Qualified Security Assessor (QSA).
Option 3: PCI Voice Portal/ IVR Delivery
The first two PCI options relate to situations where advisors remain on the line while customers are making payments, providing assistance as required. An alternative scenario is where payments are handled by a Voice Portal/ IVR system without advisors being online. This can happen in one of two ways:
The call starts as an advisor-assisted call. At the point that the customer is required to make a payment, the advisor transfers the call to the IVR system. While the payment transaction occurs, the advisor can either remain on hold until it is completed, or assist other customers. A ‘mid call divert’ facility is frequently provided with this type of solution, enabling the customer to reach an advisor by pressing a single button on their telephone keypads or saying ‘advisor’ or ‘help’ (if speech recognition is used).
Customers dial directly into the voice portal/ IVR, enabling the transaction to be handled in a completely automated manner. This solution is common where regular payments are involved. As above, a mid call divert facility can be provided to give the option of live operator assistance if required.
Option 4: Integrated Service Delivery
The final deployment technique is to use PCI technology in conjunction with other inbound, outbound and automated Cloud contact centre services as a fully integrated service solution.
We say there are four options for deploying PCI compliant technology solutions for managing card payments but of course there is a fifth, which is to not invest in one at all.
Organisations that choose this option, however, must have their centres regularly checked by PCI auditors to demonstrate compliance with necessary policies and procedures. Not only does this require considerable senior management time but also IT management time to isolate devices involved with cardholder data and purchase/install additional hardware (such as Firewalls and even CCTV cameras).
Centres also need to security-screen staff and operate ‘clear desk’ policies, preventing employees from bringing mobile phones, electronic storage devices, paper, pens and other essential work equipment to their desks. It is estimated that all this can cost around £2000 per agent.
By Robert Bates, Commercial Director, Ultra Communications +44 (0)207 965 0207