The Leading Contact Centre Magazine

An Introduction to PCI DSS Compliance for Contact Centres


Colin Hay of Puzzel met up with Tony Smith of PCI Pal to discuss how to make compliance and customer experience the perfect match.

As many more of us rely on credit and debit cards to pay for goods and services, the fear of our personal information ending up in the wrong hands is growing and the threat is real.

According to research sponsored by IBM Security, the average total cost of data breaches is US$3.62million with each lost or stolen record typically costing US$141.

Alarmingly, 47% of the organisations represented in the research said the root causes of data breaches were malicious or criminal attack followed by systems glitches and human error.

Three Contact Centre Challenges

The truth is that data breaches result in lost sales and customer loyalty with the added burden of costs associated with finding the source of the original data breach, limiting damage control, repairing corporate reputation and fines.

Contact centres accepting card payments often face an additional set of challenges:

1. Cardholder not present – when consumers make purchases online or in-store, they are generally in control of the payment and have their credit or debit cards with them. This is not the case in contact centres, where paying via an intermediary is often a leap of faith as agents switch between screens and IT systems to complete customer card transactions.

2. Conflicting needs – customers want personalisation, immediacy, single-agent resolution, choice of channel and they want companies to value their data security as highly as they do. Businesses want customer loyalty, employee engagement, standard IT platforms, effective cost control, risk and compliance management. Blending the two together can be a distant dream.

3. All channels, all ways – customers today expect to interact using a variety of channels but these vary greatly depending on demographics. While consumers under the age of 34 opt for mobile apps, social media and webchat, their more mature counterparts usually prefer the telephone. The payment experience has to be first class whatever the channel or demographic.

Why Take PCI DSS Compliance Seriously?

While the majority of card accepting contact centres understand the importance of protecting customer data from fraud and cybercrime, not all appreciate the importance of putting the Payment Card Industry Data Security Standard (PCI DSS) into practice.

PCI compliance is linked to a decrease in data breaches but the fact remains that over 40% of global organisations are still not meeting PCI DSS compliance standards, according to a 2017 Verizon report.

Traditionally, contact centres relied on a variety of compensating controls such as call and screen recording, encrypted VoIP technology and a clean room environment as a shortcut and cure-all for PCI compliance. However, these methods have proved to be no more than a band-aid fix.

The aim should be for contact centre agents to take card payments without handling the actual card data itself, but how?

The answer lies in working with a third-party payment service provider to remove card data from the process, and the contact centre, to help achieve compliance.

Three Ways to De-Scope

1. Educate staff on phishing attacks and deploy anti-phishing software – in busy, high-pressure environments like contact centres, it’s easy for agents to click on an email that appears to be sent from a reliable source and inadvertently share sensitive information.

Educating staff to identify and report phishing emails goes a long way in preventing attacks but check your anti-phishing software is up to date to help stop malicious emails reaching agents in the first place.

2. Ensure PCI compliance – from out-of-date anti-virus software and old hardware to not encrypting stored credit card details, there are multiple points whereby an organisation might not be PCI DSS compliant at the time of a data breach.

When it comes to payments in the contact centre, the goal should be to ensure as little credit card data as possible is stored, accessed, and where possible, it should removed from the environment altogether.

3. Make de-scoping technology your best friend – avoid storing card data on your internal infrastructure by working with a technology provider that ensures PCI DSS compliance and improves the ongoing security of all telephone, IVR, web and SMS financial transactions.

Whatever the approach taken, it is important for agents to continue to talk to customers to deliver a seamless, satisfying customer experience throughout the payment process.

When choosing a de-scoping partner, make sure their organisation is Level 1 PCI DSS certified. Only entities can be PCI DSS compliant, not software solutions. The technology should also be highly customisable, scalable and integrate seamlessly with multiple acquirers and banks.

Superior reporting capabilities are essential for demonstrating PCI DSS compliance to Qualified Security Assessors (QSAs). The perfect de-scoping partner should additionally offer accessibility and stability with a 24/7 global support system including a dedicated secure customer portal and guaranteed 99.999% uptime.

Colin Hay

It’s time to step up protection and introduce de-scoping to stop cybercriminals in their bid to access sensitive payment data.

By following these three simple steps, you’ll be rewarded with a highly flexible, innovative contact centre that delivers consistent, exceptional customer experience and boosts customer loyalty, sales and profits.

To find out more, join Puzzel and PCI Pal at a breakfast briefing in London on 4th October by registering here.

This blog post has been re-published by kind permission of Puzzel – View the original post

To find out more about Puzzel, visit their website.

Published On: 6th Sep 2018 - Last modified: 2nd Oct 2018
Read more about - Industry Insights,


Get the latest exciting news and articles straight to your inbox