Compliance is the ability to adhere to an order or a set of rules. These rules may be internal to the company or external to it, set by a regulatory body. Compliance is not just the law; compliance standards are regulated by the legislation of that particular country.
The main areas where contact centres need to be compliant are:
• Protecting credit card data (PCI DSS compliance)
• Protecting customer data (data protection act)
• Not generating nuisance calls (OFCOM compliance)
• Protecting hearing loss (noise at work regulations)
Call centres which take payments over the phone must take steps at every possible stage to protect the sensitive data of the customer, to ensure that their identity is protected and to prevent fraud. This means that all of the card details are kept confidential and handled securely.
This protection of sensitive data is regulated by the Payment Card Industry Data Security Standard (PCI DSS), which is an internationally recognised standard by the PCI Security Standards Council. This council regards the Data Protection Act of 1998. There is a set of regulations that the organisation must adhere to in order to stay compliant. It gives confidence and reassurance in the company.
Failure to comply can lead to large fines and issues with the company’s reputation, and therefore impact upon its business.
Compliance can be a difficult topic, as there are many contact centres that fail to adhere to the strict regulations. Adhering to compliance regulations can be a large task because rules can be difficult to keep up with, and it can be expensive. It is costly to install the latest technologies to avoid non-compliance, such as the keypad payment by phone technology.
There are a number of pitfalls when being asked for proof of compliance. The PCI DSS proceeds with a number of questions that are asked of the contact system to evaluate the security of the data. These questions may be a few in number or as many as 400. This vast number increases the likelihood of non-compliance.
There are methods to stay within the compliance regulations, as laid out in the article below.
The PCI do provide some tips for call centres to be compliant. These tips include ensuring that payment details are only taken when necessary, limiting the time that the sensitive data is stored in the system, and ensuring that the card validation code (CVC) is never stored. They also advise that when the Permanent Account Number (PAN) is taken, it is masked or rendered unreadable.