Any call centre that handles credit and debit card details has a duty to protect their customers from fraud.
We asked our experts for some advice on becoming PCI compliant.
The technology considerations
For those call centres that record all customers’ calls, including payments processed over the phone, those call recorders must be PCI compliant.
There are three main options available for using technology to become PCI compliant.
1. Automated ‘pause and resume’ technology
Automated ‘pause and resume’ technology can prevent sensitive information from being recorded.
The ‘pause and resume’ software recognises when the agent has transferred through to the payment screen and pauses the recording. Once the agent moves away from the payment window, the system resumes recording the call.
This allows the card details to be given over the phone without compromising the security of the data.
With thanks to David Smeeton, Smartcall
2. Automated ‘mute and unmute’ technology
This approach is similar in principle to ‘pause and resume’, but rather than stopping the recording and restarting it, this approach mutes both the agent and the caller audio within the recorder while the agent is in the payment details screen. The recording isn’t stopped but, importantly, nothing is recorded, so on subsequent playback, only silence or an audible tone is heard.
Both the ‘pause and resume’ and ‘mute and unmute’ approaches meet the requirements of PCI DSS. The difference between them relates to how the subsequent recordings are stored and retrieved.
With ‘pause and resume’, the actual recording is stopped and then started again. For some basic recording solutions this results in two separate recordings with two separate, unlinked, call detail records. This may cause problems when trying to find and play back recordings, as you have to find two calls instead of one.
Even when ‘pause and resume’ maintains a single call recording, it can result in apparent anomalies in reporting. The missing segment of the recording suggests differences in common contact centre reporting measures for call start and end times, call duration, talk time, etc.
In the ‘mute and unmute’ solution, the sensitive authentication data is not recorded but the call is nevertheless captured as a single instance with a full and accurate call detail record.
With thanks to Atiq Rehman, Consultancy & Training Manager, Business Systems.
3. ‘Keypad payment by phone’ technology
Switching to ‘keypad payment by phone’ technology increases PCI compliance as it prevents your agents from seeing or hearing the customer’s card details.
The process is simple. The agent asks the customer mid-call to enter their card details using the keypad on their phone, and then launches the authorisation request as usual from a virtual payment page.
This technology masks the DTMF touchtones (and therefore the card details) from the call recording as well as the agent, covering off both and thus ‘de-scoping’ your call centre.
There’s no interruption in the service, as the agent remains on the line whilst the customer enters their card details using their phone keypad. The numbers are then communicated electronically to your Payment Services Provider for authorisation, and the customer data never enters your call centre or call recording.
With thanks to Simon Beeching, Syntec
The security considerations
PCI compliance is about more than just securing your systems and encrypting your data.
In many ways, those are the easy parts. Where those systems and data come into contact with humans is the weak point. In a complex operational environment, where hundreds of people might be coming and going every day, proper security procedures are absolutely essential.
Physically limit access to sensitive information
Access to sensitive customer and payment data needs to be restricted.
For example, you may need to limit access to key areas of the building by adopting an RFID card system.
Agent and supervisor desktops should have role-based log-ins, so that each member of staff is only able to access what they need to do their job.
Change passwords frequently
You should make sure that all of your access passwords are strong (e.g. a mix of numbers, and lower- and upper-case characters) and are changed regularly.
With thanks to Carl Adkins, Infinity CCS
Limit the number of staff exposed to sensitive data
One of the biggest issues you will face in making your call centre PCI compliant is managing the people involved.
The more you can limit the number of agents that are exposed to sensitive data and reduce the amount of data they can see, the safer your data will be.
The best way to do this is to make sure that your staff are only given access to the information they need to do their job.
Proof of compliance
The PCI Security Standards Council report recommends that companies that have undergone PCI DSS compliance assessment and validation will be able to provide proof of compliance documentation, such as the Attestation of Compliance (AOC) and appliance sections from the Report on Compliance (ROC), including the date of assessment.
You should also be willing to share evidence of system components and services that were excluded from the assessment.
With thanks to Jonathan Gale, NewVoiceMedia
Swap paper for white boards
A simple and cost-effective way to become PCI compliant is to remove all pens and paper from your contact centre.
Replace them with mini whiteboards, which cannot be removed from the desk and are cleaned on a regular basis.
Ban the use of mobile phones in your contact centre
If you ban your agents who handle card payments from using their mobile phones, you will reduce the chance of sensitive information being leaked from your contact centre via text, phone call or picture message.
With thanks to Joe Richardson, ctalk