3 Simple Steps to PCI Compliance

Justin Hamilton-Martin explains that from 1st January 2015 PCI compliance has become much tougher.

Contact centres taking over-the-phone payments from customers will already be only too familiar with the Payment Card Industry Data Security Standard (PCI DSS) – the internationally recognised standard developed by the PCI Security Standards Council (SSC).

What contact centre operators may be less aware of is that from January 1st 2015, compliance with this internationally recognised standard has become much tougher. For instance, the maximum number of questions to answer has risen from over 300 to over 400 – and non-compliance costs will be applied sooner and escalated more quickly.

For a small-to-medium sized organisation, this could easily reach £166,000. In a larger financial services company, those costs could be a lot more.

This news will probably make the hearts of many call centre managers sink. After all, according to research last year, less than a third of companies were still PCI DSS compliant a year after achieving appropriate accreditation. This is not surprising, given the complexity and workload involved. As well as all the secure processes that have to be instigated and observed, there is the need to complete various self-assessment questionnaires (SAQs), and even when self-assessing, work with approved PCI DSS consultants to achieve compliance.

However, the good news is that even with these even stricter rules, PCI DSS compliance does not have to be logistical nightmare.

1. Make sure you are in the lowest possible self-assessment category

Make sure that your organisation falls into the lowest possible self-assessment category – bear with me on this as it’s quite complicated.

If your organisation processes less than 6 million transactions per year, it qualifies for levels 2-4 of PCI DSS compliance, which enables the company to use a PCI SAQ to self-certify, using the appropriate questionnaire, of which there are four main categories (A-D) and further sub-categories (which I won’t go into here).

What is really important to know is that the range of questions that need to be answered varies hugely, from a few dozen to over 400, determined by factors such as whether customers’ payment details are entered into the computer network or not.

So, it makes sense to take as many preventative steps as possible to minimise future work, even if this feels like having to make a lot of up-front effort.

2. A consultant and ‘white room’ policy can help with day-to-day compliance

Consider consultants and processes. Of course, there’s a cost involved, but even for call centre operators that fall under the self-assessment banner, a PCI-DSS consultant can make a big contribution to ensuring robust compliance. For organisations with over 6 million transactions per annum, using a consultant is necessary.

Also, make sure you’re applying as many processes as possible. For instance, apply a ‘white room’ policy prohibiting pens, paper, mobile phones, USBs or other storage devices from being taken into the contact centre environment.

3. DTMF clamping technology can mask payment information

Also think about your technology. You can negate most of the effort required by the last two steps by using the right kind of technology.

For any organisation that hasn’t looked at PCI DSS solutions lately, now’s a good time to review what is available, because it’s progressed a lot in the past year.

For instance, DTMF (dual-tone multi-frequency) clamping technology completely masks the customer’s payment information from entering the contact centre – and makes screen and call recording safe for organisations.

This means that customers’ sensitive card details never even need to enter the contact centre environment. But at the same time, it keeps the agent in the loop during the payment process (unlike traditional ‘pause/resume’ solutions) – even though they cannot be witness to that confidential information.

This technology helps to ensure a smooth customer and agent experience, while reducing compliance to the most basic level, namely SAQ-A or B (whereas ‘pause/resume’ solutions require SAQ-C and D).

Steps such as these will help to transform the seemingly onerous workload of achieving PCI DSS to something that is not only achievable but feasible to maintain. With the recent changes to PCI DSS compliance, now is the ideal time to review current strategies – and to provide assurance for the company, its staff and its customers.

With thanks to Justin Hamilton-Martin at Ultra Communications