How Do You Make Your Call Centre PCI Compliant?

Any call centre that handles credit and debit card details has a duty to protect their customers from fraud.

We asked our experts for some advice on becoming PCI compliant.

The technology considerations

For those call centres that record all customers’ calls, including payments processed over the phone, those call recorders must be PCI compliant.

There are three main options available for using technology to become PCI compliant.

1. Automated ‘pause and resume’ technology

Automated ‘pause and resume’ technology can prevent sensitive information from being recorded.

The ‘pause and resume’ software recognises when the agent has transferred through to the payment screen and pauses the recording. Once the agent moves away from the payment window, the system resumes recording the call.

This allows the card details to be given over the phone without compromising the security of the data.

With thanks to David Smeeton, Smartcall

2. Automated ‘mute and unmute’ technology

This approach is similar in principle to ‘pause and resume’, but rather than stopping the recording and restarting it, this approach mutes both the agent and the caller audio within the recorder while the agent is in the payment details screen. The recording isn’t stopped but, importantly, nothing is recorded, so on subsequent playback, only silence or an audible tone is heard.

Atiq Rehman

Both the ‘pause and resume’ and ‘mute and unmute’ approaches meet the requirements of PCI DSS. The difference between them relates to how the subsequent recordings are stored and retrieved.

With ‘pause and resume’, the actual recording is stopped and then started again. For some basic recording solutions this results in two separate recordings with two separate, unlinked, call detail records. This may cause problems when trying to find and play back recordings, as you have to find two calls instead of one.

Even when ‘pause and resume’ maintains a single call recording, it can result in apparent anomalies in reporting. The missing segment of the recording suggests differences in common contact centre reporting measures for call start and end times, call duration, talk time, etc.

In the ‘mute and unmute’ solution, the sensitive authentication data is not recorded but the call is nevertheless captured as a single instance with a full and accurate call detail record.

With thanks to Atiq Rehman, Consultancy & Training Manager, Business Systems.

3. ‘Keypad payment by phone’ technology

Simon Beeching

Switching to ‘keypad payment by phone’ technology increases PCI compliance as it prevents your agents from seeing or hearing the customer’s card details.

The process is simple. The agent asks the customer mid-call to enter their card details using the keypad on their phone, and then launches the authorisation request as usual from a virtual payment page.

This technology masks the DTMF touchtones (and therefore the card details) from the call recording as well as the agent, covering off both and thus ‘de-scoping’ your call centre.

There’s no interruption in the service, as the agent remains on the line whilst the customer enters their card details using their phone keypad. The numbers are then communicated electronically to your Payment Services Provider for authorisation, and the customer data never enters your call centre or call recording.

With thanks to Simon Beeching, Syntec

The security considerations

PCI compliance is about more than just securing your systems and encrypting your data.

In many ways, those are the easy parts. Where those systems and data come into contact with humans is the weak point. In a complex operational environment, where hundreds of people might be coming and going every day, proper security procedures are absolutely essential.

Carl Adkins

Physically limit access to sensitive information

Access to sensitive customer and payment data needs to be restricted.

For example, you may need to limit access to key areas of the building by adopting an RFID card system.

Role-based log-ins

Agent and supervisor desktops should have role-based log-ins, so that each member of staff is only able to access what they need to do their job.

Change passwords frequently

You should make sure that all of your access passwords are strong (e.g. a mix of numbers, and lower- and upper-case characters) and are changed regularly.

With thanks to Carl Adkins, Infinity CCS

Limit the number of staff exposed to sensitive data

Jonathan Gale

One of the biggest issues you will face in making your call centre PCI compliant is managing the people involved.

The more you can limit the number of agents that are exposed to sensitive data and reduce the amount of data they can see, the safer your data will be.

The best way to do this is to make sure that your staff are only given access to the information they need to do their job.

Proof of compliance

The PCI Security Standards Council report recommends that companies that have undergone PCI DSS compliance assessment and validation will be able to provide proof of compliance documentation, such as the Attestation of Compliance (AOC) and appliance sections from the Report on Compliance (ROC), including the date of assessment.

You should also be willing to share evidence of system components and services that were excluded from the assessment.

With thanks to Jonathan Gale, NewVoiceMedia

Swap paper for white boards

A simple and cost-effective way to become PCI compliant is to remove all pens and paper from your contact centre.

Replace them with mini whiteboards, which cannot be removed from the desk and are cleaned on a regular basis.

Ban the use of mobile phones in your contact centre

If you ban your agents who handle card payments from using their mobile phones, you will reduce the chance of sensitive information being leaked from your contact centre via text, phone call or picture message.

With thanks to Joe Richardson, ctalk

How do you make sure that your contact centre is PCI compliant?

Author: Megan Jones

Published On: 18th Sep 2013 - Last modified: 29th Apr 2022
Read more about - Customer Service Strategy, Business Systems, Ctalk, Infinity CCS, PCI Compliance, Syntec, Vonage

7 Comments

Nice to see a great article covering all the corners of PCI compliance!
The contact centre I have worked in for the past 8 years really struggled to find a suitable solution, and after much deliberation decided to outsource
Great company with a real business focus. Would highly recommend to anyone having similar PCI compliance nightmares!

Jack Choules

Jack Choules 17 Sep at 14:05
Hi Jonty, hope all well at CCH.
As PCI Programme Director for a FTSE 100 company now fully compliant – with over 15,000 agents – I have to concur with Simon Beeching’s recommendation: DTMF capture! I would go further, in my view and with personal experience, DTMF capture is the only contender for organisations with more than 50 agent seats. DTMF capture removes the voice channel, (as do the other solutions in part), but most significantly also removes the agents themselves (who no longer hear PCI data), desktop infrastructure, screen recording, telephony network, core network – and do not mandate draconian conditions in the call centres. This is a voice solution that has true strategic impact on the PCI programme – removing the requirement for over 250 controls on masses of infrastructure.
I urge your readership to look at DTMF capture solutions. These if implemented correctly will remove agents, call and screen recording, desktop, telephony and network infrastructure from your PCI scope. This took two years and £xM off the length and cost our PCI Programme.
Best regards to all at CCH – Iain Johnston, Ex-PCI Programme Director, FTSE 100 Coy

Iain Johnston 23 Sep at 11:36
We were looking for a solution that would de-scope the contact centre from PCI, allow us to take repeat and scheduled payments securely but also provide our customers with the confidence that we were taking the security of their card data seriously. We looked at all three options when attempting to close our PCI gap, but there was only one option that met all 3 requirements and integrated seamlessly with our Call Manager, call recording and CRM system. That solution was DTMF tone masking technology coupled with tokenisation. The technology revolutionised our contact centre and both our agents and our customers love it.
Rhodri Evans – Head of Information Security, Principality Building Society

Rhodri Evans 30 Sep at 14:32
Can a website such as Amazon ask me for my account password for account verification?

John 5 May at 23:03
There are no rules preventing it, but it is a technique that scammers use to get account passwords.
If in doubt go back in and change your online password.

jonty pearce 6 May at 10:36
There is no simple way, however if you want to minimize the scope cloud PCI compliant IVR Payment solutions that push the credit card transactions outside of your network will simplify things. The DTMF tone masking technology that Rohdri mentions works well in some environments, however can require re-org of your telephony network and can be a pretty big project. Great suggestions over all.

Barnard 16 Jul at 01:14
I work at a call centre that is PCI. We are not allowed to have cell phones or pens at our desk which I get…. But recently they have started saying no reading books at your desk. Is this allowed and is actually a rule in Pci compliance…?

Thanks

Craig 24 Aug at 17:00