The PCI-DSS standard addresses common cyber security issues
The digital transformation across all industries have left much to desire when it comes to cyber security. To solve some of the issues concerning the way payment data is stored and processed, the biggest credit card companies decided to create the Payment Card Industry Data Security Standard, or as it is shortly called, PCI-DSS. Today, we will focus on the changes that imply PCI Compliance for call centers, explaining some key considerations to have in mind before becoming compliant.
The PCI standard affects virtually all sectors that deal with sensitive cardholder data, obligating companies to comply with a set of best practices to reduce vulnerability and decrease the risk for cyber attacks. Needless to say, businesses that do not comply with PCI are bound to face harsh negative consequences, including revenue loss, damaged reputation, and penalties starting from 5,000 dollars monthly. These newly implemented regulations will affect almost all verticals in 2018, including hotels, travel companies, and call centers.
What changes will bring PCI Compliance for Call Centers
To ensure the best practices of handling data, call centers will need to meet the six goals established by the Security Standards Council:
- Build and Maintain a Secure Network – sensitive information needs to be secured with robust firewalls and strict safety controls.
- Protect Cardholder Data – customer information cannot be stored on the company’s system without being encrypted. Writing it down on a piece of paper will be no longer accepted.
- Maintain a Vulnerability Management Program – Are your software programs up to date? If the answer is no, you will need to make sure that all systems and applications are updated to the latest version, and protected by an anti-virus software.
- Implement Strong Access Control Measures – physical access to cardholder data should be restricted, and your agents should be assigned a unique ID for computer access.
- Regularly Monitor and Test Networks – all access to network resources and data should be regularly monitored and tested for security issues.
- Maintain an Information Security Policy that addresses information safety for employees and contractors.
Dangerous outdated practices that Call Centers should abandon
A recent survey conducted by Semafone has revealed that more than 70% of the call centers are applying practices that compromise security, such as making customers read sensitive data aloud. Here are some of the practices that will need to be abandoned with PCI Compliance:
- Insecure voice transactions – collecting credit or debit card information over the phone by making customers read account numbers aloud;
- Free access to payment information even if the customer is not on the phone;
- Sharing sensitive cardholder data with other agents unlawfully, without a justified purpose and the right security measures;
- Not reporting risky situations to the corresponding authorities;
- Using a pen and paper for writing down cardholder data;
- Allowing mobile phones in the call center, which increases the risk for information leaks;
Additionally, another underestimated factor that needs to be kept in mind is that poor employee outsourcing decisions increase cyber security risk – in fact, they are responsible for over 63% of the data breaches that happen to call centers and other companies with similar activities.
PCI Compliance for Call Centers: best practices
To ensure that you are handling cardholder data securely, you need to implement some of the following practices:
- Make sure that all agents and supervisors have role-based logins to control and limit the exposure of data;
- Use a whiteboard instead of writing down information on a piece of paper – it limits the physical storage of customer details;
- Forbid mobile phones in the call center to minimize information leak risk;
- Secure voice transactions – recorded calls are subject to PCI Standard. If you are going to record your calls, make sure that they are compliant; else, use technologies that pause recording when sensitive information is spoken.
- Personal items or bags should be prohibited at the workstation, and it is recommended that agents pass through a security check when entering the building.
Additionally, it is critical to ensure that the entire network system is compliant with PCI Guidelines, and all internal processes are covered by additional layers of protection.
Processing sensitive data with a third-party provider
Achieving PCI Compliance for call centers is obligatory if they record, store, and process the payment information of their customers. However, getting compliant can be extremely costly, with prices exceeding $200,000 depending on the size of the company, and the number of credit cards processed.
For this reason, many companies that handle cardholder data and other personally identifiable information prefer to process payment transactions with a third-party provider that is already compliant with PCI-DSS, such as MYMOID – an online payment gateway that offers completely secure solutions for businesses.