PCI Compliance for Call Centers: 7 Things You Need to Know

As a central communication point between companies and customers, call centers collect, process and store huge amounts of personally identifiable information (PII) such as credit card data, addresses, social security numbers, and bank details.

To ensure that this information is properly handled without compromising security, call centers need to adhere to a set of strict regulations that protect all personal data that pass through them. In this article, we will talk about some of the most important things to know when it comes to PCI compliance for call centers.

1. Understanding PCI Compliance for call centers

In order to fully understand what PCI compliance for call centers is, and how companies can ensure that they are handling data securely, it’s important to understand what PCI-DSS really is.

PCI-DSS comes as a response to the variety of vulnerabilities present in the processing of sensitive information. A lot of times, the way we collect it and store it - for example, writing it down on a piece of paper - can quickly expose it to potential fraudsters and cyber criminals.

To solve some of the issues concerning the way data is stored and processed, the biggest credit card companies decided to create the Payment Card Industry Data Security Standard, also known as PCI-DSS.

The PCI standard affects virtually all sectors that deal with sensitive cardholder data, obligating companies to comply with a set of best practices to reduce vulnerability and decrease the risk for cyberattacks.

They revolve around 6 main pillars:

1. Build and Maintain a Secure Network – sensitive information needs to be secured with robust firewalls and strict safety controls.

2. Protect Cardholder Data – customer information cannot be stored on the company’s system without being encrypted. Writing it down on a piece of paper is not accepted.

3. Maintain a Vulnerability Management Program – are your software programs up to date? If the answer is no, you will need to make sure that all systems and applications are updated to the latest version, and protected by antivirus software.

4. Implement Strong Access Control Measures – physical access to cardholder data should be restricted, and your agents should be assigned a unique ID for computer access.5. Regularly Monitor and Test Networks – all access to network resources and data should be regularly monitored and tested for security issues.

5. Regularly Monitor and Test Networks – all access to network resources and data should be regularly monitored and tested for security issues.

6. Maintain an Information Security Policy that addresses information safety for employees and contractors.

Needless to say, businesses that do not comply with PCI are bound to face harsh negative consequences, including revenue loss, damaged reputation, and penalties starting from $5,000 monthly depending on the severity of the breach and the time spent in non-compliance.

PCI compliance for call centres is especially important to ensure to build and maintain customer trust, as well as ensure an impeccable business reputation when it comes to handling sensitive information.

2. Outdated practices that call centers should avoid at all costs

A recent survey conducted by Sycurio has revealed that more than 70% of the call centers are applying practices that compromise security, such as making customers read sensitive data aloud.

Here are some of the practices that call centers will need to abandon if they want to be PCI-DSS compliant:

• Insecure voice transactions – collecting credit or debit card information over the phone by making customers read account numbers aloud;

• Free access to payment information even if the customer is not on the phone;

• Sharing sensitive cardholder data with other agents unlawfully, without a justified purpose and the right security measures;

• Not reporting risky situations to the corresponding authorities;

• Using a pen and paper for writing down cardholder data;

• Allowing mobile phones in the call center, which increases the risk for information leaks;

Additionally, another underestimated factor that needs to be kept in mind is that poor employee outsourcing decisions increase cybersecurity risk.

In fact, they are responsible for over 63% of the data breaches that happen to call centers and other companies with similar activities.

3. Negative consequences of PCI-DSS for call centers

When it comes to PCI compliance for call centers, and for all companies that process and store data in general, not adhering to the best practices required by card issuers can lead to costly fines and penalties.

Here are some of the negative consequences of PCI non-compliance that call centers should be aware of, and avoid at all costs:

3.1. Monthly penalties by financial entities

One of the biggest consequences of non-compliance with PCI are the monthly penalties imposed by payment processors.

They can range from $5,000 to $100,000 per month depending on the level of PCI-DSS that the business should be on, as well as the amount of time during which it has been non-compliant.

3.2. Infringement consequences

Apart from the monthly penalties by payment processors, call centers and other companies can also suffer infringement consequences if a data breach occurs as a result of non-compliance.

They can include a penalty of $50-$90 per cardholder (of those involved in the data breach), lawsuits by clients, and even termination of the relationship with the bank or payment processor.

3.3. Revenue loss

Non-compliance with PCI-DSS may also lead to revenue loss. Not only because of all the monthly penalties and infringement consequences that we just mentioned, but also because of the company’s reputation damage, which may lead to a possible loss of clients.

In fact, the company may even go out of business if the penalties were too high, or the reputational damage too severe.

4. Keeping access to credit card information limited

One of the most important considerations when it comes to PCI compliance for call centers is the way access to credit card data (and other types of sensitive details) is controlled and limited.

In other words, call centres should consider all the points of contact that staff may have with sensitive information, and implement the necessary measures to ensure proper security and compliance.

This may include applying some of the following measures:

• Limit employee access to important areas of the building, especially the ones where most of the data is stored;

• Prohibit personal items or bags at the workstation;

• Ensure that agents pass through a security check before they enter the building;

• Install video surveillance of all entry and exit points;

• Control visits with a staffed reception desk and visitor logs;

Additionally, call centers must ensure that employees and agents that do have access to credit card information are properly trained on how to handle it, and do not neglect the requirements over time.

Regular training is also a great way to update agents on the frequently changing compliance standards as well.

5. The importance of training staff on security and compliance

As we mentioned previously, one of the most important things that companies will need to know when it comes to PCI compliance for call centers is that proper training on security and compliance can go a great way in reducing the risk for data leaks and breaches.

After all, the best way to protect cardholder data is to teach employees how to process it in a way that doesn’t compromise its security. The more your staff knows about it, the more likely they will be aware of the risks. Here are some tips on how to train employees on PCI compliance:

• Focus on internal training - while training programs on how to handle potential external threats are crucial, the risk management team should focus first on establishing internal security policies that all employees must follow.

• Make the training obligatory - since possible data leaks and breaches threaten all levels of the organisation, it is important to make the training mandatory to ensure that everyone is trained on the data security protocols.

• Establish regular training schedules - all agents should go through regular training sessions to ensure that they have a good understanding on the importance of cybersecurity.

Call centers often employ hundreds of agents. For this reason, it’s really important to ensure that all employees are on the same page, and they understand all the risks, challenges, and vulnerabilities that the company faces with PCI-DSS.

One way that call centers can ensure PCI-DSS compliance is by implementing a powerful and fully secure Payment Gateway that meets even the most rigorous requirements and regulations for payment security.

6. Encrypting credit card information

When speaking about PCI compliance for call centers, another important thing that organisations should keep in mind is the proper encryption of credit card information.

While the PCI-DSS regulations don’t mention encryption explicitly, they do stress on the importance of storing cardholder information using “strong cryptography with associated key-management processes and procedures”.

In fact, it is worth remembering that certain information, such as CVV codes, should not be stored at all.

However, other details can be stored - such as name, account number and expiry date - if the business requires it, as long as they meet the requirements concerning the level of encryption and key management.

PCI-DSS compliance requires a strong level of encryption - the minimum key strength should be 256 bits.

Additionally, call centers can make payment transactions more secure using payment tokenization. Tokenization is the process of converting sensitive information, such as credit card details, into randomly-generated, undecipherable values called tokens.

These tokens help to prevent credit card fraud by hiding personally identifiable information behind random elements with no extrinsic value.

It’s important that call centers are not handling any data that hasn’t been encrypted properly. Otherwise, there is a high risk of suffering fraud or a data breach.

7. PCI compliance for call centers: best practices

Apart from the best practices that we already mentioned previously, there are other ways to ensure that cardholder data is being handled securely:

7.1. Prohibit the use of pen and paper

Despite the convenience of digital notebooks, many agents are still using pen and paper to write down important information. One of the easiest ways to stay PCI compliant is to prohibit their use by switching to a whiteboard instead.

Taking this step will limit the physical storage of sensitive customer details.

7.2. Use a secure payment gateway

Another best practice when it comes to PCI compliance for call centers is the use of a secure, fully compliant payment gateway for the processing of all payment transactions.

For example, MYMOID has all the tools to ensure full payment security for call centers and other organizations, including:

• Level 1 PCI-DSS

• European Directive PSD2

• Continuous auditing and biometrics

7.3. Secure voice transactions

Recorded calls are subject to PCI Standard. If you are going to record your calls, make sure that they are compliant with all the requirements.

Otherwise, you can use technologies that pause recording when sensitive information is spoken to reduce the scope of PCI-DSS compliance. Some recording systems allow agents to manually pause the calls, while others integrate with their CRM system to make the process automatic.

7.4. Implement network controls

When talking about PCI compliance for call centers, it is very important to ensure that the entire network system is in full compliance with the guidelines of PCI-DSS.

This means installing an effective firewall and router, as well as establishing internal processes that provide extra layers of protection and security. Companies should restrict traffic from unsafe networks and hosts.

7.5. Establish strong passwords

One of the most underestimated guidelines of PCI-DSS are passwords.

Call centers should implement the necessary measures to ensure that all employees use strong passwords for their electronic devices, such as a mix of letters, numbers, and special characters.

7.6. Prohibit the use of mobile phones

And last but not least, it is important that the use of mobile phones is restricted or prohibited in the workstation. This way, companies can eliminate potential data leaks into the agent’s personal device.

Processing sensitive data with a third-party provider

Achieving PCI Compliance for call centers is obligatory if they record, store, and process the payment information of their customers. However, getting compliant can be extremely costly, with prices exceeding $200,000 depending on the size of the company, and the number of credit cards processed.

For this reason, many companies that handle cardholder data and other personally identifiable information prefer to process payment transactions with a third-party provider that is already compliant with PCI-DSS, such as MYMOID – an online payment gateway that offers completely secure solutions for businesses.