Winter Is Coming… and So Is PCI-DSS 4.0

In the world of contact centres and card payments, a day of reckoning is near.

The Payment Card Data Security Standard has existed in some iteration since 2004. But PCI-DSS 4.0 is coming in early 2022 – which is months after it was initially expected, since given these complex times, this version requires still more rounds of feedback.

What does that mean for your contact centre? It means stock up, fortify, and brace yourself – 4.0 is going to be big.

Why is there so much at stake right now in contact centres and card payments anyway?

On the one hand, the last two years of the pandemic have seen a rapid transition to online services. People stuck at home, engaging in all kinds of virtual transactions, has meant a dramatic increase in their interaction with contact centres that are often hybrid workplaces.

So, there is greater risk to data privacy, and increased vulnerability to cybersecurity threats, and non-compliance consequences.

On the other hand, the contact centre remains as important to a customer’s experience as it always has been. An agent can make or break a customer’s relationship with the company, especially today, in the age of bots, when customers expect better from a human being.

The entire live agent experience must be smooth-running, and ideally with minimal disruptions like compliance or security issues.

In short, this combination of conditions has the potential to create the perfect storm, and PCI-DSS 4.0 will be trying to get in front of it by tightening regulations.

First and foremost, there will be a fundamental change in PCI’s language specifying requirements. No longer will it be about what “must be implemented,” rather it will be about what the resulting security outcome “is.”

The focus will not be on requirements, but on outcomes and results – and having the right processes and practices in place to protect customers.

For example, instead of asking companies to run intrusion detection and intrusion prevention systems to protect their networks, they might simply ask companies to ensure they have adequate network security in place—regardless of how they go about it.

There is more flexibility in how things get done, but the responsibility is on the company to get them right.

Additionally, PCI will also include requirements to match the evolving security landscape.

Although those actual requirements will not be known until the new standards are published, according to a Frost & Sullivan report, there are likely to be at least five requirements that will be revised, and they cover everything from protecting cardholder data with cryptography, to supporting information security with policies and programs.

This means that even companies that are currently keeping in accordance with the PCI DSS will have to stay on their toes in anticipation of the new version.

With so much brewing on the horizon, it is more important than ever for companies to anticipate and prepare with the right technology. Preparation might include:

• Making sure your recording system has end-to-end encryption at transit and at rest.
• Maintaining strict sign-on and user authentication systems.
• Having different methods for data-masking during the call, along with the capabilities to lock an interaction or delete it.
• Making sure you have advanced role-based access control to manage data, actions, and resources.
• Having the right processes in place so if there ever is a breach, corrective action can immediately unfold after card holder data is exposed.

Remember, future audits and investigations will be best avoided if you can demonstrate proactive measures. Set the processes in place now and show you are working to apply the right technology in order to adhere to regulations and maintain best practices.

This blog post has been re-published by kind permission of NICE – View the Original Article

For more information about NICE - visit the NICE Website

Call Centre Helper is not responsible for the content of these guest blog posts. The opinions expressed in this article are those of the author, and do not necessarily reflect those of Call Centre Helper.